Google OIDC Groups claim about openvpn-auth-oauth2 HOT 15 CLOSED

Would you able to test a pre-release version, if available?

from openvpn-auth-oauth2.

Of course!

from openvpn-auth-oauth2.

@Pionerd

A pre-build is available here: https://github.com/jkroepke/openvpn-auth-oauth2/actions/runs/7855575505/artifacts/1235566712

And a documentation here: https://github.com/jkroepke/openvpn-auth-oauth2/blob/google/docs/Providers.md#restrict-auth-to-specific-google-groups-in-your-domain-optional

please let me know if it works for you.

from openvpn-auth-oauth2.

The Google app gives me a Some requested scopes were invalid. {valid=[openid, https://www.googleapis.com/auth/userinfo.profile], invalid=[offline_access]}.

Edit:
Working around this by setting: CONFIG_OAUTH2_SCOPES=openid,https://www.googleapis.com/auth/userinfo.profile

The new error in the logs: user validation: missing claim: groups

from openvpn-auth-oauth2.

Did you set the provider to google?

CONFIG_OAUTH2_PROVIDER=google

this should also fix the scope error

from openvpn-auth-oauth2.

Whoops,

[...]
# CONFIG_OAUTH2_PROVIDER=google
CONFIG_OAUTH2_ISSUER=https://accounts.google.com
[...]

Now OpenVPN server does not start anymore. Error in your component: error creating oauth2 provider: error getting JWT config: error reading credentials: invalid character '/' looking for beginning of value

I set CONFIG_PROVIDER_GOOGLE_SERVICE__ACCOUNT__CONFIG=/etc/sysconfig/serviceaccount.json, disregarding your file:// syntax. What is the correct value?

from openvpn-auth-oauth2.

CONFIG_PROVIDER_GOOGLE_SERVICE__ACCOUNT__CONFIG=file:///etc/sysconfig/serviceaccount.json

or as inline value:

CONFIG_PROVIDER_GOOGLE_SERVICE__ACCOUNT__CONFIG={ ... }

from openvpn-auth-oauth2.

Works like a charm! Thanks a lot for implementing this so quickly. Really love to see that you took the latest approach as, as opposed to e.g. OAuth2-Proxy / Dex, where the admin-email is required. This SA Groups Reader role is much better.

Quick questions/remarks:

1. Point 7 of the docs can be slightly clearer in that only one of those two bullets is required, not both.
2. Do you support Application Default Credentials? If yes, I will test it. Since you refer to the docs of OAuth2 Proxy: there is still a bug in that component related to ADC (fixed, but not yet released | oauth2-proxy/oauth2-proxy#2282).

from openvpn-auth-oauth2.

This SA Groups Reader role is much better.

I just follow this guide https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account where it says assign a role to the server account while I couldn't find anything about the admin mail.

Do you support Application Default Credentials?

Based on https://pkg.go.dev/golang.org/x/oauth2/google#FindDefaultCredentialsWithParams, yes.

FindDefaultCredentialsWithParams searches for "Application Default Credentials".

It looks for credentials in the following places, preferring the first location found:

1. A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS environment variable. For workload identity federation, refer to https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation on how to generate the JSON configuration file for on-prem/non-Google cloud platforms.
2. A JSON file in a location known to the gcloud command-line tool. On Windows, this is %APPDATA%/gcloud/application_default_credentials.json. On other systems, $HOME/.config/gcloud/application_default_credentials.json.
3. On Google App Engine standard first generation runtimes (<= Go 1.9) it uses the appengine.AccessToken function.
4. On Google Compute Engine, Google App Engine standard second generation runtimes (>= Go 1.11), and Google App Engine flexible environment, it fetches credentials from the metadata server.

Seems like the implementation here is affected, too.

from openvpn-auth-oauth2.

@Pionerd

A new pre-build is available here: https://github.com/jkroepke/openvpn-auth-oauth2/actions/runs/7862373383/artifacts/1236556018

And I slightly changed documentation to cover the mention things from your side: google/docs/Providers.md#restrict-auth-to-specific-google-groups-in-your-domain-optional

Since I don't have much experience in Google Workspace, I much appricate a documentation review.

from openvpn-auth-oauth2.

I will do a docs review, no problem.

What to look for in this new build? ADC or just test the normal group functionality again?

from openvpn-auth-oauth2.

• ADC, included with the mention fix (check docs for config)
• if ADC works, normal group functionality again

from openvpn-auth-oauth2.

Error in your component:
error creating oauth2 provider: error getting JWT config: CredentialsTokenSource error: impersonate: a target service account must be provided

Is there an environment variable I can use?
CONFIG_PROVIDER_GOOGLE_IMPERSONATE__ACCOUNT -> testing again

from openvpn-auth-oauth2.

Works! Please see #159

from openvpn-auth-oauth2.

Thanks for your cooperation!

from openvpn-auth-oauth2.