Allow the "google" connector to work without a service account #1720
Conversation
|
I just noticed this is effectively the same as #1663. |
There was a problem hiding this comment.
LGTM. I'm happy with this. It does overlap with #1663 but since this is ready to go, I'm tempted to merge this in favour of that (normally the first person to tackle the issue I would give preference to)
@reasonerjt Are you happy for me to merge this over your PR? Seems to solve your issue
|
@JoelSpeed .. Any chance we can get this merged ? |
|
@reasonerjt Are you happy for me to merge this over your PR? Seems to solve your issue. If I do not get a response within a week, I'll merge this @nadenf I'll give them another week to respond, then merge if I get no response |
|
Just to throw another log on the fire, GKE now supports pod-level ambient credentials. This is a good fix to start with but long-term this should probably delegate creds loading behavior to the Google SDK. |
|
A week has passed, merging this
If that's now a thing, then definitely, is this GA and documented do you know? I haven't seen it |
The official docker release for this release can be pulled from
dexidp/dex:v2.25.0
**Features:**
- Move the API package to a separate module (dexidp#1741, @sagikazarmark)
- OAuth2 Device Authorization Grant (dexidp#1706, @justin-slowik)
- Support username, email and groups claim in OIDC connector (dexidp#1634, @xtremerui)
**Bugfixes:**
- Add offline_access scope in microsoft connector, if required (dexidp#1441, @jimmythedog)
- Allow the google connector to work without a service account (dexidp#1720, @candlerb)
**Minor changes:**
- Remove vendor (finally) (dexidp#1745, @sagikazarmark)
- Fix the LDAP example (dexidp#1762, @heidemn-faro)
- Relocate the example app (dexidp#1764, @sagikazarmark)
The official docker release for this release can be pulled from
dexidp/dex:v2.25.0
**Features:**
- Move the API package to a separate module (dexidp#1741, @sagikazarmark)
- OAuth2 Device Authorization Grant (dexidp#1706, @justin-slowik)
- Support username, email and groups claim in OIDC connector (dexidp#1634, @xtremerui)
**Bugfixes:**
- Add offline_access scope in microsoft connector, if required (dexidp#1441, @jimmythedog)
- Allow the google connector to work without a service account (dexidp#1720, @candlerb)
**Minor changes:**
- Remove vendor (finally) (dexidp#1745, @sagikazarmark)
- Fix the LDAP example (dexidp#1762, @heidemn-faro)
- Relocate the example app (dexidp#1764, @sagikazarmark)
Fixes #1718
The code did originally have a check for empty adminEmail and empty serviceAccountFilePath, but didn't check this when loading the config - so tried to open an empty filename.
With this fix, token refresh works when using the "google" connector instead of the "oidc" connector to talk to Google, even without a hosted domain.