Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to retrive Google Groups using GKE Workload Identity #3348

Open
3 tasks done
jacek-jablonski opened this issue Feb 12, 2024 · 2 comments
Open
3 tasks done

Unable to retrive Google Groups using GKE Workload Identity #3348

jacek-jablonski opened this issue Feb 12, 2024 · 2 comments

Comments

@jacek-jablonski
Copy link

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I am not looking for support or already pursued the available support channels without success.

Version

2.38.0

Storage Type

In-memory

Installation Type

Official Helm chart

Expected Behavior

Retrieving Google Groups using configured GKE Workload Identity.

Actual Behavior

Dex is unable to start with error: failed to initialize server: server: Failed to open connector google: failed to open connector: failed to create connector google: could not create directory service: unable to parse client secret file to config: unexpected end of JSON input

Steps To Reproduce

No response

Additional Information

This fails, because google.FindDefaultCredentials(...) (https://github.com/dexidp/dex/blob/master/connector/google/google.go#L363) executes successfully, but as docs say: JSON field may be nil when code is running on Google Cloud Platform (https://pkg.go.dev/golang.org/x/oauth2/google#Credentials). So empty JSON field is passed further to google.JWTConfigFromJSON(...) (https://github.com/dexidp/dex/blob/master/connector/google/google.go#L374) and causes fail.

Workload Identity is properly configured and verified by quering metadata server from dex pod.

Configuration

issuer: "https://dex.xxx/"

storage:
  type: memory

connectors:
  - type: google
    id: google
    name: Google
    config:
      clientID: $GOOGLE_OAUTH_CLIENT_ID
      clientSecret: $GOOGLE_OAUTH_CLIENT_SECRET
      redirectURI: https://dex.xxx/callback
      domainToAdminEmail: 
        xxx.com: bot@xxx.com
      scopes:
        - openid
        - email
        - https://www.googleapis.com/auth/admin.directory.group.readonly
      claimMapping:
        - groups: https://www.googleapis.com/auth/admin.directory.group.readonly
      fetchTransitiveGroupMembership: true

Logs

No response
@jacek-jablonski jacek-jablonski mentioned this issue Feb 12, 2024
Open
@jacek-jablonski
Copy link
Author

This PR adds what is needed to make the above configuration work: #3170

@irons
Copy link

irons commented Mar 28, 2024

#2989 is another, somewhat simpler implementation of Workload Identity support, which has been open even longer than 3170.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@irons @jacek-jablonski