Comments (45)
![image](https://private-user-images.githubusercontent.com/110168856/316476987-25ae2942-0a53-4bc9-8dcc-5330d26c7f74.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTIzNTQzODgsIm5iZiI6MTcxMjM1NDA4OCwicGF0aCI6Ii8xMTAxNjg4NTYvMzE2NDc2OTg3LTI1YWUyOTQyLTBhNTMtNGJjOS04ZGNjLTUzMzBkMjZjN2Y3NC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNDA1JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDQwNVQyMTU0NDhaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1jYzgwNjcyMzgwZTNmZTI5MDIyNzgwNWQyYTgyYmE5YmEzM2Y0OWZlYTZjMzM3ZTg1ZTBlNTAwODZjMjc1ZmM4JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.LPa88u8e--DR0q3xBqTTKoQz_PlXilRWoon6it0pJuw)
from openvpn-auth-oauth2.
Which OIDC claim contains [email protected]?
from openvpn-auth-oauth2.
I'm not sure what would be the best way to determine that, but in the browser I see this URL passing by:
https://<vpn_domain>:9000/oauth2/callback?state=<base64_code>&code=<another_random_string>&scope=email%20profile%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20openid%20https://www.googleapis.com/auth/cloud-identity.groups.readonly&authuser=0&hd=<CompanyB>.com&prompt=consent
from openvpn-auth-oauth2.
I will add some debug log lines for that.
from openvpn-auth-oauth2.
Try https://github.com/jkroepke/openvpn-auth-oauth2/releases/tag/v1.19.3 in debug mode and search for claims
from openvpn-auth-oauth2.
I may expect, that this bug hits Grafana, too.
from openvpn-auth-oauth2.
I checked multiple docs and the major issue here is that Cloud Identity API works with "Member Key", while this information seems not available via OIDC. Instead a "Member Key", which based on [email protected]
, I only get the ID of the Google Account (numeric value).
from openvpn-auth-oauth2.
Would the "old" way of doing things (using a Service Account) have the same issue?
from openvpn-auth-oauth2.
No clue, but the Admin API works with ID of an Google Identity, instead an Member Key (mail) and the ID was present on the claim, too.
from openvpn-auth-oauth2.
Could you please test the following steps?
- Go to the Admin Portal of Google and go to the group that is required for openvpn-auth-oauth2.
- The URL should be in the format of
https://admin.google.com/ac/groups/<ID>
. Copy the ID - Go to the Cloud identity API. https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships/list
- On the left side, enter
groups/<ID>
asparent
- Then, run
Try-Out
and check, if the API returns external API users as well.
Also please let me know, if the member key of the external user is present in token claims. (Using 1.20, run in debug mode and grep for claim)
In case it works, then I would adjust the docs, that the ID of group is mandatory. The chance is high, that is is also working with external synced groups.
from openvpn-auth-oauth2.
I'm awaiting response on the API test, but I can see the following claims, nothing seems related to the member keys.
claims="map[
at_hash: <redacted>
aud: <redacted>
azp: <redacted>
email: <redacted>
email_verified:true
exp: <redacted>
family_name:_
given_name:_
hd: <redacted>
iat: <redacted>
iss:https://accounts.google.com
name:__
nonce: <redacted>
picture: <redacted>
sub: <redacted>
from openvpn-auth-oauth2.
What was the latest version of your app with the old method for group validation?
from openvpn-auth-oauth2.
I can confirm the external users do show up in the API call
from openvpn-auth-oauth2.
What was the latest version of your app with the old method for group validation?
1.17.x
I can confirm the external users do show up in the API call
If you want, you can also try an experimental build, where oauth2.validate.groups
require the mentioned Group ID, that you are used at the API call.
Binary: https://github.com/jkroepke/openvpn-auth-oauth2/actions/runs/8538208957/artifacts/1380990698
CONFIG_OAUTH2_VALIDATE_GROUPS=03x8tuzt3hqdv5v
from openvpn-auth-oauth2.
Apr 03 15:56:21 shared-hub-vpn-gateway openvpn-auth-oauth2[11001]: time=2024-04-03T15:56:21.407Z level=WARN msg="user validation: error from Google API https://cloudidentity.googleapis.com/v1/groups/<GROUP_ID>/memberships: http status code: 403; message: Error(4001): Permission denied for membership resource 'groups/<GROUP_ID>' (or it may not exist)." ip=<ip>:54599 cid=0 kid=1 session_id="" common_name="" idtoken.subject=<redacted> idtoken.email=<redacted> idtoken.preferred_username="" user.subject=<redacted> user.preferred_username="" error_id=<redacted>
from openvpn-auth-oauth2.
Did you double check, that you put the ID (and only the ID) of the Group into CONFIG_OAUTH2_VALIDATE_GROUPS
? It works at least with internal users on my personal Google Workspace.
from openvpn-auth-oauth2.
from openvpn-auth-oauth2.
What you can do here is but grab the groups/<GROUP_ID>
from the logs and put the into the parent field at https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships/list
from openvpn-auth-oauth2.
Other take could to validate, if the works with an internal user, but not with an external user.
I expect, that the OIDC scope is set, but maybe there is an overall restriction that external user are not allowed for an lookup memberships of groups.
from openvpn-auth-oauth2.
Related Issues (20)
- IOS OpenVPN Connect will disconnect after lock screen for about 20 seconds and can not auto re-connect after unlock HOT 38
- validate.common-name is is case-sensitive
- A possible chan deadlock with `commandResponseCh` HOT 9
- Refactor Google Teams sync HOT 3
- No information returned from Google oAuth HOT 6
- [HELP WANTED] Implement username override in OpenVPN [clang coding]
- When trying to use groups in plugin, having PANIC HOT 14
- openvpn gui still asks for username/password even with auth-user-pass-optional HOT 5
- Reverse proxy with apache HOT 3
- OpenVPN Service NOT start HOT 16
- Minor Issue with Makefile HOT 6
- Keycloak roles not work HOT 7
- Pass-Through : Send welcome message to client HOT 2
- Permission denied after installing 1.19.3 HOT 12
- Login page languages HOT 1
- http listener not started after upgrade HOT 5
- With Azure AAD level=WARN msg="oauth2.refresh is enabled, but provider does not return refresh token" HOT 5
- Logs HOT 4
- Required Ports HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openvpn-auth-oauth2.