From c8e16f87884c2c50b99b13e97f5faee039fd0579 Mon Sep 17 00:00:00 2001 From: Manatsawin Hanmongkolchai Date: Mon, 28 Dec 2020 14:20:50 +0700 Subject: [PATCH 1/2] google: Document for service account-less access Signed-off-by: Manatsawin Hanmongkolchai --- content/docs/connectors/google.md | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/content/docs/connectors/google.md b/content/docs/connectors/google.md index 3ffe56c..daaa7f2 100644 --- a/content/docs/connectors/google.md +++ b/content/docs/connectors/google.md @@ -54,10 +54,31 @@ connectors: ``` ## Fetching groups from Google -To allow Dex to fetch group information from Google, you will need to configure a service account for Dex to use. -This account needs Domain-Wide Delegation and permission to access the `https://www.googleapis.com/auth/admin.directory.group.readonly` API scope. +To allow Dex to fetch group information from Google, you must configure a method to retrieve group information -To get group fetching set up: +### Accessing group information from the user directly +This method is only available to Google Workspace Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity Premium accounts + +You'll need the `https://www.googleapis.com/auth/cloud-identity.groups.readonly` scope: + +```yaml +connectors: +- type: google + id: google + name: Google + config: + # ... + scopes: + # These are default and required + - profile + - email + - https://www.googleapis.com/auth/cloud-identity.groups.readonly +``` + +The project that owns the OAuth client ID must also have [Cloud Identity API](https://console.developers.google.com/apis/library/cloudidentity.googleapis.com) enabled. Also, [non-Google Groups](https://cloud.google.com/identity/docs/groups#group_types) will not show up in groups. + +### Using domain-wide delegation and a service account +This method requires setting up domain-wide delegation to a Google service account. 1. Follow the [instructions](https://developers.google.com/admin-sdk/directory/v1/guides/delegation) to set up a service account with Domain-Wide Delegation - During service account creation, a JSON key file will be created that contains authentication information for the service account. This needs storing in a location accessible by Dex and you will set the `serviceAccountFilePath` to point at it. From 8c0c55084a6d2ccfdcb9426a07c32c2277f2358f Mon Sep 17 00:00:00 2001 From: Manatsawin Hanmongkolchai Date: Tue, 29 Dec 2020 14:30:16 +0700 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Nate W. <4453979+nate-double-u@users.noreply.github.com> Signed-off-by: Manatsawin Hanmongkolchai --- content/docs/connectors/google.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/docs/connectors/google.md b/content/docs/connectors/google.md index daaa7f2..08040b7 100644 --- a/content/docs/connectors/google.md +++ b/content/docs/connectors/google.md @@ -54,12 +54,12 @@ connectors: ``` ## Fetching groups from Google -To allow Dex to fetch group information from Google, you must configure a method to retrieve group information +To allow Dex to fetch group information from Google, you must configure a method to retrieve group information. ### Accessing group information from the user directly -This method is only available to Google Workspace Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity Premium accounts +This method is only available to Google Workspace Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity Premium accounts. -You'll need the `https://www.googleapis.com/auth/cloud-identity.groups.readonly` scope: +To access group information from the user directly, use the `https://www.googleapis.com/auth/cloud-identity.groups.readonly` scope: ```yaml connectors: