You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I agree to follow the Code of Conduct that this project adheres to.
I have searched the issue tracker for an issue that matches the one I want to file, without success.
Problem Description
We are performing machine authentication by exchanging a Google access token (from an impersonated service account) for a dex-issued JWT, as in these docs.
The Google connector does not appear to support token exchange, but the OIDC connector configured with Google does.
The limitation of using the OIDC connector is that we cannot get group claims; it appears that the Google connector handles those as a special case.
Proposed Solution
Support token exchange in the Google connector. I think it should be possible given that token exchange is possible with Google via the OIDC connector, and would enable group claims when doing so.
Alternatives Considered
No response
Additional Information
It looks like this requires an implementation of TokenIdentityConnector in the Google connector.
The text was updated successfully, but these errors were encountered:
@nabokihms with my limited understanding of the Dex codebase and how its connectors are set up, does the proposed solution here sound reasonable to you as a maintainer?
Preflight Checklist
Problem Description
We are performing machine authentication by exchanging a Google access token (from an impersonated service account) for a dex-issued JWT, as in these docs.
The Google connector does not appear to support token exchange, but the OIDC connector configured with Google does.
The limitation of using the OIDC connector is that we cannot get group claims; it appears that the Google connector handles those as a special case.
Proposed Solution
Support token exchange in the Google connector. I think it should be possible given that token exchange is possible with Google via the OIDC connector, and would enable group claims when doing so.
Alternatives Considered
No response
Additional Information
It looks like this requires an implementation of
TokenIdentityConnector
in the Google connector.The text was updated successfully, but these errors were encountered: