Hello,
I’ve set up a Z2JH installation on version 0.11.1, authenticating users with the GoogleOAuthenticator. However, we’d like to manage access based on membership in a google group. The google group is in our gsuite under the same domain name as our authenticator. I saw that this can be accomplished with this guide. I was wondering if it possible to do the same using config.yaml (the google authentication part is working as intended).
I’ve tried the following:
hub:
config:
GoogleOAuthenticator:
client_id: placeholder
client_secret: placeholder
ouath_callback_url: https://my_domain_name/hub/oauth_callback
hosted_domain:
- my_domain_name
login_service: My Domain
gsuite_administrator:
my_domain_name: "my_username"
google_service_account_keys:
my_domain_name: '/path/to/service_account.json'
allowed_google_groups:
my_domain_name:
- "google_group_name"
but it throws a 500 server error after logging in with google.
Some project requirements:
- This file needs to live in a (private) github repository, so we cannot have directly declared secret values (ie. the service account credentials). Related - can the “/path/to/service_account.json” be replaced with the json record contained within the credential file?
- Ideally, we want to be able to push updates via github actions, so these secret values need to be able to be set from the command line (I’m not sure how that would work with hub.extraConfig). For example, we’re setting the authenticator credentials with
--set hub.config.GoogleOAuthenticator.client_id=${{ secets.GOOGLE_AUTH_ID_SECRET_NAME }}within a github action.
If this is possible, any help would be much appreciated! A somewhat related question - in the line
c.GoogleOAuthenticator.gsuite_administrator = {'example.com': 'someuser'} is that someuser the name of the service account or a real admin user?
Many thanks,
Erik