Google Groups claim working for some users but not for others about openvpn-auth-oauth2 HOT 45 OPEN

from openvpn-auth-oauth2.

Which OIDC claim contains [email protected]?

from openvpn-auth-oauth2.

I'm not sure what would be the best way to determine that, but in the browser I see this URL passing by:

https://<vpn_domain>:9000/oauth2/callback?state=<base64_code>&code=<another_random_string>&scope=email%20profile%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20openid%20https://www.googleapis.com/auth/cloud-identity.groups.readonly&authuser=0&hd=<CompanyB>.com&prompt=consent

from openvpn-auth-oauth2.

I will add some debug log lines for that.

from openvpn-auth-oauth2.

Try https://github.com/jkroepke/openvpn-auth-oauth2/releases/tag/v1.19.3 in debug mode and search for claims

from openvpn-auth-oauth2.

I may expect, that this bug hits Grafana, too.

from openvpn-auth-oauth2.

I checked multiple docs and the major issue here is that Cloud Identity API works with "Member Key", while this information seems not available via OIDC. Instead a "Member Key", which based on [email protected], I only get the ID of the Google Account (numeric value).

from openvpn-auth-oauth2.

Would the "old" way of doing things (using a Service Account) have the same issue?

from openvpn-auth-oauth2.

No clue, but the Admin API works with ID of an Google Identity, instead an Member Key (mail) and the ID was present on the claim, too.

from openvpn-auth-oauth2.

Could you please test the following steps?

1. Go to the Admin Portal of Google and go to the group that is required for openvpn-auth-oauth2.
2. The URL should be in the format of https://admin.google.com/ac/groups/<ID>. Copy the ID
3. Go to the Cloud identity API. https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships/list
4. On the left side, enter groups/<ID> as parent
5. Then, run Try-Out and check, if the API returns external API users as well.

Also please let me know, if the member key of the external user is present in token claims. (Using 1.20, run in debug mode and grep for claim)

In case it works, then I would adjust the docs, that the ID of group is mandatory. The chance is high, that is is also working with external synced groups.

from openvpn-auth-oauth2.

I'm awaiting response on the API test, but I can see the following claims, nothing seems related to the member keys.

claims="map[
at_hash: <redacted>
aud: <redacted>
azp: <redacted>
email: <redacted>
email_verified:true
exp: <redacted>
family_name:_
given_name:_
hd: <redacted>
iat: <redacted>
iss:https://accounts.google.com
name:__
nonce: <redacted>
picture: <redacted>
sub: <redacted>

from openvpn-auth-oauth2.

What was the latest version of your app with the old method for group validation?

from openvpn-auth-oauth2.

I can confirm the external users do show up in the API call

from openvpn-auth-oauth2.

What was the latest version of your app with the old method for group validation?

1.17.x

I can confirm the external users do show up in the API call

If you want, you can also try an experimental build, where oauth2.validate.groups require the mentioned Group ID, that you are used at the API call.

Binary: https://github.com/jkroepke/openvpn-auth-oauth2/actions/runs/8538208957/artifacts/1380990698

CONFIG_OAUTH2_VALIDATE_GROUPS=03x8tuzt3hqdv5v

from openvpn-auth-oauth2.

Apr 03 15:56:21 shared-hub-vpn-gateway openvpn-auth-oauth2[11001]: time=2024-04-03T15:56:21.407Z level=WARN msg="user validation: error from Google API https://cloudidentity.googleapis.com/v1/groups/<GROUP_ID>/memberships: http status code: 403; message: Error(4001): Permission denied for membership resource 'groups/<GROUP_ID>' (or it may not exist)." ip=<ip>:54599 cid=0 kid=1 session_id="" common_name="" idtoken.subject=<redacted> idtoken.email=<redacted>  idtoken.preferred_username="" user.subject=<redacted>  user.preferred_username="" error_id=<redacted> 

from openvpn-auth-oauth2.

Did you double check, that you put the ID (and only the ID) of the Group into CONFIG_OAUTH2_VALIDATE_GROUPS? It works at least with internal users on my personal Google Workspace.

from openvpn-auth-oauth2.

from openvpn-auth-oauth2.

What you can do here is but grab the groups/<GROUP_ID> from the logs and put the into the parent field at https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships/list

from openvpn-auth-oauth2.

Other take could to validate, if the works with an internal user, but not with an external user.

I expect, that the OIDC scope is set, but maybe there is an overall restriction that external user are not allowed for an lookup memberships of groups.

from openvpn-auth-oauth2.