Documentation: Missing OAuth2 scopes required for group validation (Google Workspace)

[dponkin]

Problem Statement

The documentation on group validation for the Google Workspace provider mentions enabling Cloud Identity API, but omits that both allowed and requested scopes have to include https://www.googleapis.com/auth/cloud-identity.groups.readonly. Otherwise, the following error is observed:

user validation: error from Google API https://cloudidentity.googleapis.com/v1/groups/****/memberships: http status code: 403; message: Request had insufficient authentication scopes." ...

Proposed Solution

Update the docs here to include:

5. Edit the OAuth2 consent screen to add a sensitive scope .../auth/cloud-identity.groups.readonly
6. Add https://www.googleapis.com/auth/cloud-identity.groups.readonly to oauth2.scopes

Additional information

I'd also add that if users have already went through the consent screen before the additional scopes were added, they have to remove the consent manually at https://account.google.com

Acceptance Criteria

• Documentation updated to include the required scopes

[jkroepke]

Hm strange. Normally, if validation groups is enabled, openvpn-auth-oauth2 automaticly set
https://www.googleapis.com/auth/cloud-identity.groups.readonly.

openvpn-auth-oauth2/internal/oauth2/providers/google/config.go

Line 24 in eeafc7e

providerConfig.Scopes = append(providerConfig.Scopes, "https://www.googleapis.com/auth/cloud-identity.groups.readonly")

And the oauth2.scopes does not have any effect, if provider=google is configured, because the scope are hard-coded.

openvpn-auth-oauth2/internal/oauth2/providers/google/config.go

Line 21 in eeafc7e

providerConfig.Scopes = []string{types.ScopeEmail, types.ScopeProfile, types.ScopeOpenID}

[jkroepke]

I'd also add that if users have already went through the consent screen before the additional scopes were added, they have to remove the consent manually at https://account.google.com

Could you please explain this to me?

[dponkin]

Initially I went with this config.yaml:

http:
  baseurl: "https://***/"
  listen: ":9000"
  secret: "***"

oauth2:
  provider: "google"
  issuer: "https://accounts.google.com"
  client:
    id: "***"
    secret: "***"
  scopes:
    - "openid"
    - "profile"
    - "email"
  validate:
    groups:
      - "***"
  refresh:
    enabled: true
    expires: "8h"
    secret: "***"
    validate-user: true
    use-session-id: true

openvpn:
  addr: "unix:///run/openvpn/server.sock"
  password: "***"

It results in an authentication error:

Aug 16 12:22:34 *** openvpn-auth-oauth2[4689]: time=2024-08-16T12:22:34.577Z level=INFO msg="initialize authorization via oauth2" ip=*** cid=5 kid=1 common_name=""
Aug 16 12:22:39 *** openvpn-auth-oauth2[4689]: time=2024-08-16T12:22:39.663Z level=INFO msg="deny OpenVPN client cid 5, kid 1" ip=*** cid=5 kid=1 session_id=*** common_name="" idtoken.subject=*** idtoken.email=*** idtoken.preferred_username="" user.subject=*** user.preferred_username=""
Aug 16 12:22:39 *** openvpn-auth-oauth2[4689]: time=2024-08-16T12:22:39.664Z level=WARN msg="user validation: error from Google API https://cloudidentity.googleapis.com/v1/groups/***/memberships: http status code: 403; message: Request had insufficient authentication scopes." ip=*** cid=5 kid=1 session_id=*** common_name="" idtoken.subject=*** idtoken.email=*** idtoken.preferred_username="" user.subject=*** user.preferred_username="" error_id=***
Aug 16 12:22:43 *** openvpn-auth-oauth2[4689]: time=2024-08-16T12:22:43.403Z level=INFO msg="client disconnected" ip=: cid=5 common_name="" reason=DISCONNECT session_id="" session_state=""

I just replicated it. If I add the required scope, the error is gone and the authentication flow works as expected:

http:
  baseurl: "https://***/"
  listen: ":9000"
  secret: "***"

oauth2:
  provider: "google"
  issuer: "https://accounts.google.com"
  client:
    id: "***"
    secret: "***"
  scopes:
    - "openid"
    - "profile"
    - "email"
    - "https://www.googleapis.com/auth/cloud-identity.groups.readonly"
  validate:
    groups:
      - "***"
  refresh:
    enabled: true
    expires: "8h"
    secret: "***"
    validate-user: true
    use-session-id: true

openvpn:
  addr: "unix:///run/openvpn/server.sock"
  password: "***"

And the oauth2.scopes does not have any effect, if provider=google is configured, because the scope are hard-coded.

I just discovered that if I remove the oauth2.scopes section of the configuration, that resolves the issue as well. I suppose that's when the scopes are automatically populated, but I guess if scopes are defined in configuration, they seem to take precedence.

If that's all intended, maybe it's worth mentioning the default scopes in the providers section of the documentation 🙇‍♂️ With that all being said, I believe that there's still a missing step of enabling the auth/cloud-identity.groups.readonly scope in the consent screen configuration (on GCP side).

Could you please explain this to me?

Please disregard that part, I made an incorrect assumption there 🙇‍♂️ When the issue was present, I had to manually remove the consent to trigger the consent screen again, but it's a non-issue when the scopes are configured properly.

[jkroepke]

I believe that there's still a missing step of enabling the auth/cloud-identity.groups.readonly scope in the consent screen configuration (on GCP side).

Is it required? On my test workspace, I did not configure that.

Details

#306 add the info, that https://www.googleapis.com/auth/cloud-identity.groups.readonly is required, if groups are validated.