A complete solution for open data platforms, enterprise data catalogs, data lakes and data management. Open source, mature, fully-featured and production ready.

DataHub

HI
I try to set up authentication &amp; authorization with Google SSO. Authentication works almost fine, but authorization with groups does not work.
Reason – I can't get group information from google scope: openid profile email, there is no group in <https://accounts.google.com/.well-known/openid-configuration>
I can add new scope like:
* <https://www.googleapis.com/auth/admin.directory.group.member.readonly>
* <https://www.googleapis.com/auth/admin.directory.group.readonly>
* <https://www.googleapis.com/auth/admin.directory.user.readonly>

Does Datahub support this scope? If not - maybe you know how to add auto-provisioning groups or setup SAML?

If you add a new scope, then it can be used as the group name with the environment variable `AUTH_OIDC_GROUPS_CLAIM`. So if you create a scope called `mygroups` then use `AUTH_OIDC_GROUPS_CLAIM=mygroups` also enabling `AUTH_OIDC_EXTRACT_GROUPS_ENABLED=true`

Yes, this is not work.
My config is below:
```  extraEnvs:
    - name: AUTH_OIDC_ENABLED
      value: "true"
    - name: AUTH_OIDC_CLIENT_ID
      value: *.<http://apps.googleusercontent.com|apps.googleusercontent.com>
    - name: AUTH_OIDC_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          name: datahub-oidc-secret
          key: client_secret
    - name: AUTH_OIDC_JIT_PROVISIONING_ENABLED
      value: 'true'
    - name: AUTH_OIDC_DISCOVERY_URI
      value: <https://accounts.google.com/.well-known/openid-configuration>
    - name: AUTH_OIDC_SCOPE
      value: "openid profile email <https://www.googleapis.com/auth/admin.directory.group.readonly> <https://www.googleapis.com/auth/admin.directory.user.readonly> <https://www.googleapis.com/auth/admin.directory.group.member.readonly>"
    - name: AUTH_OIDC_BASE_URL
      value: <https://data-test>.*.xyz
    - name: AUTH_OIDC_USER_NAME_CLAIM
      value: email
    - name: AUTH_OIDC_USER_NAME_CLAIM_REGEX
      value: ([^@]+)
    - name: AUTH_OIDC_EXTRACT_GROUPS_ENABLED
      value: "true"
    - name: AUTH_OIDC_GROUPS_CLAIM
      value: 'datacatalog.nonprod.admin' or 'groups' or '<mailto:datacatalog.nonprod.admin@company.com|datacatalog.nonprod.admin@company.com>'```

As far as I can find google doesn’t support a `group` scope/claim. You can still create groups programmatically using DataHub APIs and assign users. The google discovery uri doesn’t include the referenced scopes or claims as supported. I suspect the links you have there are for oauth2 and not oidc.