Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support token exchange in Google connector #3768

Open
2 tasks done
rorynickolls-skyral opened this issue Sep 27, 2024 · 2 comments
Open
2 tasks done

Support token exchange in Google connector #3768

rorynickolls-skyral opened this issue Sep 27, 2024 · 2 comments
Labels
help wanted release-note/new-feature Release note: Exciting New Features

Comments

@rorynickolls-skyral
Copy link

rorynickolls-skyral commented Sep 27, 2024

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

We are performing machine authentication by exchanging a Google access token (from an impersonated service account) for a dex-issued JWT, as in these docs.

The Google connector does not appear to support token exchange, but the OIDC connector configured with Google does.

The limitation of using the OIDC connector is that we cannot get group claims; it appears that the Google connector handles those as a special case.

Proposed Solution

Support token exchange in the Google connector. I think it should be possible given that token exchange is possible with Google via the OIDC connector, and would enable group claims when doing so.

Alternatives Considered

No response

Additional Information

It looks like this requires an implementation of TokenIdentityConnector in the Google connector.

@nabokihms nabokihms added help wanted release-note/new-feature Release note: Exciting New Features labels Oct 7, 2024
@rorynickolls-skyral
Copy link
Author

@nabokihms with my limited understanding of the Dex codebase and how its connectors are set up, does the proposed solution here sound reasonable to you as a maintainer?

@nabokihms
Copy link
Member

Yes, sounds fine to me. It should be similar to the oidc implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted release-note/new-feature Release note: Exciting New Features
Projects
None yet
Development

No branches or pull requests

2 participants