self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-22 02:03:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

oidc: allow non-GSuite OIDC providers from Google (#5820)

Browse source 
You can follow
https://developers.google.com/identity/protocols/oauth2/openid-connect
to set up an OIDC provider in GCP, which is distinct from GSuite.

This provider uses the same issuer URL ("https://accounts.google.com")
as GSuite. Our code assumes that if that issuer URL is set, then it must
be GSuite, which is not correct. Only attempt to pull more data from
GSuite API if `google_service_account_uri` is set.
This commit is contained in:
Andrew Lytvynov 2021-04-16 22:23:40 +00:00 committed by GitHub
parent 4afa82d78c
commit e63710a949
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
lib/auth/oidc.go
View file

@ -812,9 +812,13 @@ func (a *Server) getClaims(oidcClient *oidc.Client, connector services.OIDCConne
return nil, trace.Wrap(err, "unable to merge OIDC claims")
}
// for GSuite users, fetch extra data from the proprietary google API
// only if scope includes admin groups readonly scope
if connector.GetIssuerURL() == teleport.GSuiteIssuerURL {
// For Google Workspace users, fetch extra data from the proprietary Google groups API.
//
// If google_service_account_uri and google_service_account are not set, we
// assume that this is a non-GWorkspace OIDC provider using the same
// issuer URL as Google Workspace (e.g.
// https://developers.google.com/identity/protocols/oauth2/openid-connect).
if connector.GetIssuerURL() == teleport.GSuiteIssuerURL && (connector.GetGoogleServiceAccountURI() != "" || connector.GetGoogleServiceAccount() != "") {
email, _, err := claims.StringClaim("email")
if err != nil {
return nil, trace.Wrap(err)
@ -838,8 +842,6 @@ func (a *Server) getClaims(oidcClient *oidc.Client, connector services.OIDCConne
// load the google service account from string
credentialLoadingMethod = "google_service_account"
jsonCredentials = []byte(connector.GetGoogleServiceAccount())
} else {
return nil, trace.NotFound("the google workspace connector requires google_service_account parameter with JSON-formatted credentials or google_service_account_uri parameter pointing to a valid google service account file with credentials to be specified, read this article for more details https://developers.google.com/admin-sdk/directory/v1/guides/delegation")
}
config, err := google.JWTConfigFromJSON(jsonCredentials, teleport.GSuiteGroupsScope)