Potential security risk when providing external access to OAuth app needed for OIDC Gsuite backend

In the official documentation, it is stated that the OAuth app that needs to be created in the project hosting the GSuite project needs to allow external access.

Unless I am wrong, this will allow all users having a valid Gmail account to be able to log in to my vault instance (even with no permissions, assuming I set up my policies and group mappings correctly).

There is no justification provided for such a configuration. Why is that? Doesn’t this pose a security risk?

It might be better to file this as a Vault issue in GitHub, as either the documentation is wrong, or it is right but fails to explain why.

Thanks for bringing this to our attention!

The documentation was making the wrong recommendation in this case. We’ve tested that the internal user type works with the integration and updated the documentation in docs/oidc: change user type recommendation for Google workspace integration by austingebauer · Pull Request #18676 · hashicorp/vault · GitHub.

1 Like