Use groups_claim OIDC auth method with google

Hello,

I set up OIDC auth method with google for authorization using this repository guide. It worked and now users from my organization in GSuite can log into Vault using OIDC method.

Next I tried to set up groups_claim to use groups that are in the google organization for access management. I enabled access to Admin SDK API for vault project and tried to use https://www.googleapis.com/auth/admin.directory.group.member.readonly scope from here.

OIDC auth role currently has following settings
vault write /auth/oidc/role/reader user_claim="email" oidc_scopes="email,https://www.googleapis.com/auth/admin.directory.group.readonly" groups_claim="admin.directory.group.readonly" bound_audiences="$OAUTH_CLIENT_ID" allowed_redirect_uris="https://<vault_url>/ui/vault/auth/oidc/oidc/callback","http://localhost:8250/oidc/callback" policies=reader ttl=72h.

However when i tried to authorize with this settings i got group_claims not found error. I checked the request that vault is sending to google and it looks like this:
https://accounts.google.com/o/oauth2/v2/auth?client_id=<client_id>&nonce=<nonce>&redirect_uri=http%3A%2F%2Flocalhost%3A8250%2Foidc%2Fcallback&response_type=code&scope=openid+email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.group.readonly&state=<state>
I assume this is the authentication URL that google sends to Vault to use to get iframe for user authentication. I tried to execute this request and i get iframe but with invalid scopes error.
However when i change + signs to encoded spaces in url so it looks like this
https://accounts.google.com/o/oauth2/v2/auth?client_id=<client_id>&nonce=<nonce>&redirect_uri=http%3A%2F%2Flocalhost%3A8250%2Foidc%2Fcallback&response_type=code&scope=openid%20email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fadmin.directory.group.readonly&state=<state>
I get a response without an error. This behavior looks similar to the one described in this issue on github https://github.com/openid/AppAuth-iOS/issues/288.

vault version Vault v1.3.0
vault status Vault v1.3.0

My questions are:
Am i setting up groups_claim for Google OIDC the right way?
If so - is there a workaround for the scopes issue? And if there is not - should I create an issue in the Vault’s github?

1 Like

Here is what i found:




Maybe someone will find it helpful.

Hi. There has been recent activity in order prep the plugin to cleanly pull in the GSuite and Azure AD groups PRs. I’d like to get them merged; the lack of GSuite groups has been a shortcoming for a while.

Regards,
Jim

1 Like