You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As Google is a bad organisation, they did provide the minimal to comply with OpenID (email, username, family, name)
But it lacks something that most other providers gives : groups in which the user is registered.
That would mean that using OIDC with Google Workspace would allow everyone on the domain to have VPN access.
Google could give the group, but not as a standard claim, but by calling some Google Cloud APIs.
Either calling Admin.Directory API, with a service account which has full delegation on the doman or by calling Cloud.Identity API, which is newer, and gives back the list of groups.
Description
In case of Google Workspace is used, and allowed_groups filtering is used in the headscale configuration, dynamically add the required priorietary scope that kindly ask for groups.
Then, once OIDC response comes, get the JWT auth token and query groups by using CloudIdentity API
The text was updated successfully, but these errors were encountered:
Why
As Google is a bad organisation, they did provide the minimal to comply with OpenID (email, username, family, name)
But it lacks something that most other providers gives : groups in which the user is registered.
That would mean that using OIDC with Google Workspace would allow everyone on the domain to have VPN access.
Google could give the group, but not as a standard claim, but by calling some Google Cloud APIs.
Either calling Admin.Directory API, with a service account which has full delegation on the doman or by calling Cloud.Identity API, which is newer, and gives back the list of groups.
Description
In case of Google Workspace is used, and allowed_groups filtering is used in the headscale configuration, dynamically add the required priorietary scope that kindly ask for groups.
Then, once OIDC response comes, get the JWT auth token and query groups by using CloudIdentity API
The text was updated successfully, but these errors were encountered: