Comments (15)
Would you able to test a pre-release version, if available?
from openvpn-auth-oauth2.
Of course!
from openvpn-auth-oauth2.
A pre-build is available here: https://github.com/jkroepke/openvpn-auth-oauth2/actions/runs/7855575505/artifacts/1235566712
And a documentation here: https://github.com/jkroepke/openvpn-auth-oauth2/blob/google/docs/Providers.md#restrict-auth-to-specific-google-groups-in-your-domain-optional
please let me know if it works for you.
from openvpn-auth-oauth2.
The Google app gives me a Some requested scopes were invalid. {valid=[openid, https://www.googleapis.com/auth/userinfo.profile], invalid=[offline_access]}
.
Edit:
Working around this by setting: CONFIG_OAUTH2_SCOPES=openid,https://www.googleapis.com/auth/userinfo.profile
The new error in the logs: user validation: missing claim: groups
from openvpn-auth-oauth2.
Did you set the provider to google?
CONFIG_OAUTH2_PROVIDER=google
this should also fix the scope error
from openvpn-auth-oauth2.
Whoops,
[...]
# CONFIG_OAUTH2_PROVIDER=google
CONFIG_OAUTH2_ISSUER=https://accounts.google.com
[...]
Now OpenVPN server does not start anymore. Error in your component: error creating oauth2 provider: error getting JWT config: error reading credentials: invalid character '/' looking for beginning of value
I set CONFIG_PROVIDER_GOOGLE_SERVICE__ACCOUNT__CONFIG=/etc/sysconfig/serviceaccount.json
, disregarding your file://
syntax. What is the correct value?
from openvpn-auth-oauth2.
CONFIG_PROVIDER_GOOGLE_SERVICE__ACCOUNT__CONFIG=file:///etc/sysconfig/serviceaccount.json
or as inline value:
CONFIG_PROVIDER_GOOGLE_SERVICE__ACCOUNT__CONFIG={ ... }
from openvpn-auth-oauth2.
Works like a charm! Thanks a lot for implementing this so quickly. Really love to see that you took the latest approach as, as opposed to e.g. OAuth2-Proxy / Dex, where the admin-email is required. This SA Groups Reader role is much better.
Quick questions/remarks:
- Point 7 of the docs can be slightly clearer in that only one of those two bullets is required, not both.
- Do you support Application Default Credentials? If yes, I will test it. Since you refer to the docs of OAuth2 Proxy: there is still a bug in that component related to ADC (fixed, but not yet released | oauth2-proxy/oauth2-proxy#2282).
from openvpn-auth-oauth2.
This SA Groups Reader role is much better.
I just follow this guide https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account where it says assign a role to the server account while I couldn't find anything about the admin mail.
Do you support Application Default Credentials?
Based on https://pkg.go.dev/golang.org/x/oauth2/google#FindDefaultCredentialsWithParams, yes.
FindDefaultCredentialsWithParams searches for "Application Default Credentials".
It looks for credentials in the following places, preferring the first location found:
- A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable. For workload identity federation, refer to https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation on how to generate the JSON configuration file for on-prem/non-Google cloud platforms.
- A JSON file in a location known to the gcloud command-line tool. On Windows, this is %APPDATA%/gcloud/application_default_credentials.json. On other systems, $HOME/.config/gcloud/application_default_credentials.json.
- On Google App Engine standard first generation runtimes (<= Go 1.9) it uses the appengine.AccessToken function.
- On Google Compute Engine, Google App Engine standard second generation runtimes (>= Go 1.11), and Google App Engine flexible environment, it fetches credentials from the metadata server.
Seems like the implementation here is affected, too.
from openvpn-auth-oauth2.
A new pre-build is available here: https://github.com/jkroepke/openvpn-auth-oauth2/actions/runs/7862373383/artifacts/1236556018
And I slightly changed documentation to cover the mention things from your side: google/docs/Providers.md#restrict-auth-to-specific-google-groups-in-your-domain-optional
Since I don't have much experience in Google Workspace, I much appricate a documentation review.
from openvpn-auth-oauth2.
I will do a docs review, no problem.
What to look for in this new build? ADC or just test the normal group functionality again?
from openvpn-auth-oauth2.
- ADC, included with the mention fix (check docs for config)
- if ADC works, normal group functionality again
from openvpn-auth-oauth2.
Error in your component:
error creating oauth2 provider: error getting JWT config: CredentialsTokenSource error: impersonate: a target service account must be provided
Is there an environment variable I can use?
CONFIG_PROVIDER_GOOGLE_IMPERSONATE__ACCOUNT
-> testing again
from openvpn-auth-oauth2.
Works! Please see #159
from openvpn-auth-oauth2.
Thanks for your cooperation!
from openvpn-auth-oauth2.
Related Issues (20)
- validate.common-name is is case-sensitive
- A possible chan deadlock with `commandResponseCh` HOT 9
- Refactor Google Teams sync HOT 3
- No information returned from Google oAuth HOT 6
- [HELP WANTED] Implement username override in OpenVPN [clang coding]
- When trying to use groups in plugin, having PANIC HOT 14
- openvpn gui still asks for username/password even with auth-user-pass-optional HOT 5
- Reverse proxy with apache HOT 3
- OpenVPN Service NOT start HOT 16
- Minor Issue with Makefile HOT 6
- Keycloak roles not work HOT 7
- Google Groups claim working for some users but not for others HOT 44
- Pass-Through : Send welcome message to client HOT 2
- Permission denied after installing 1.19.3 HOT 12
- Login page languages HOT 1
- http listener not started after upgrade HOT 5
- With Azure AAD level=WARN msg="oauth2.refresh is enabled, but provider does not return refresh token" HOT 5
- Logs HOT 4
- Required Ports HOT 2
- FLAG CONFIG_OAUTH2_VALIDATE_COMMON__NAME HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openvpn-auth-oauth2.