https://datahubproject.io logo
Join Slack
Powered by
Hi all! Does anyone know if we can get google grou...
# getting-started
a
Hi all! Does anyone know if we can get google group info from Google OIDC? Currently I am having users sign in via google, so their profiles are ingested into DataHub one-by-one. But there’s no 
groups
  in the UI.
Here is the snippet that enables OIDC
Copy code
env:
            - name: AUTH_JAAS_ENABLED
              value: "false"
            - name: AUTH_OIDC_ENABLED
              value: "true"
            - name: AUTH_OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: oidc-secret
                  key: id
            - name: AUTH_OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: oidc-secret
                  key: secret
            - name: AUTH_OIDC_DISCOVERY_URI
              value: <https://accounts.google.com/.well-known/openid-configuration>
            - name: AUTH_OIDC_BASE_URL
              value: <https://datahub-dev.xxx.net>
            - name: AUTH_OIDC_SCOPE
              value: "openid email profile"
            - name: AUTH_OIDC_USER_NAME_CLAIM
              value: email
I was looking at the doc here https://datahubproject.io/docs/how/auth/sso/configure-oidc-react#user--group-provisioning-jit-provisioning. It seems that the defaults should have enabled ingesting groups?
Wondering if stating
Copy code
AUTH_OIDC_JIT_PROVISIONING_ENABLED=true
AUTH_OIDC_PRE_PROVISIONING_REQUIRED=false
AUTH_OIDC_EXTRACT_GROUPS_ENABLED=true
AUTH_OIDC_GROUPS_CLAIM='groups'
explicitly would help or if it’s some other issue
b
Hi!!
Do you know the name of the claim that is used to carry group information for Google? Each IdP can have their own
r
could you get the jwt returned from google and put it in https://jwt.io/ to find the claim name
a
I can see the payload in the format described here: https://developers.google.com/identity/protocols/oauth2/openid-connect#an-id-tokens-payload, the only value not described in the doc is
Copy code
"google": {
    "gic": "some long string here"
  },
b
Hmmm. I'm not seeing anything about returning a groups claim
It's possible that google doesn't support it
a
That sucks. Is there a workaround to utilized the 
groups
in datahub? I don’t see anywhere to set up groups in the UI.
b
@agreeable-hamburger-38305 You can manage groups on DataHub also
You can create groups, add and remove members, etc
Simply check the "Users & Groups" Tab in the UI
a
Ah I see, was not logged in as the root user so it wasnt shown in the UI. Thanks!
@big-carpet-38439 Is there a way to change the name of a group once it’s been created?
b
Through the UI, no. But technically we could build that in, nothing is stopping us
a
I see. I have two other questions: 1. Let’s say I got the group claims to work. If the user is assigned to a different google group, would this be reflected in Datahub the next time he/she logs in? Or is the group information stored in Datahub at the first log in and not updated every time? 2. If the user belongs to multiple google groups, would all the groups be created in DataHub and contain that user?
b
1. As of today, only the first login updates state. That being said, we have this as an action item on the backlog. 2. If user belongs to multiple, each group will be created yes
👀 1
l
@gifted-queen-61023
👌 1
3 Views
Open in Slack
PreviousNext
Powered by