-
Notifications
You must be signed in to change notification settings - Fork 474
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow selection of limited service account DwD scopes #1671
Comments
Jay,
I'm looking at this. gam can already do some of what you want.
gam user ***@***.*** ***@***.***> update serviceaccount
Ross
----
Ross Scroggs
***@***.***
… On Jan 2, 2024, at 10:27 AM, Jay Lee ***@***.***> wrote:
Today GAM expects users to authorize all scopes it uses for Domain-wide delegation (DwD). This is less than ideal if an admin wants to limit GAM's permissions to only certain scopes and API calls.
While admins can selectively add/remove scopes on the DwD page in the admin console which GAM links to, GAM still tries to use all the scopes it knows about for a given Google API when requesting a DwD access token which will fail if the admin removed scopes.
Possible solution:
On check serviceaccount GAM should write scopes that PASS to it's config file. Something like passing_dwd_scopes.
On DwD API call, GAM should:
get list of scopes the API endpoint uses. Note that this list can be problematic. In some cases, only one of the given scopes is required, in others more than one is required to enable all functionality of the API call. (Classroom API is like this). Also note some APIs like Chat (at least at one point) may not list scopes per API endpoint. In this case we'd need to fall back on the full list of scopes supported by the API itself (e.g. the scopes for Gmail API instead of the scopes listed for Gmail API's delegates.create endpoint)
get list of scopes that have PASSed check serviceaccount stored in some config setting like passing_dwd_scopes.
Only use scopes in both of these lists. If the resulting diff is empty (no scopes shared between both lists) then fall back to default scopes for the given API endpoint.
—
Reply to this email directly, view it on GitHub <#1671>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACCTYL273JH4PWHA6RVTO6TYMRGR5AVCNFSM6AAAAABBKMNNVOVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA3DENZYHE4DMMI>.
You are receiving this because you are subscribed to this thread.
|
Ross, suppose I wanted a GAM install that can list devices read-only but nothing else. I don't think we support using a scope like:
today? |
Maybe we need to move |
|
Today GAM expects users to authorize all scopes it uses for Domain-wide delegation (DwD). This is less than ideal if an admin wants to limit GAM's permissions to only certain scopes and API calls.
While admins can selectively add/remove scopes on the DwD page in the admin console which GAM links to, GAM still tries to use all the scopes it knows about for a given Google API when requesting a DwD access token which will fail if the admin removed scopes.
Possible solution:
check serviceaccount
GAM should write scopes that PASS to it's config file. Something like passing_dwd_scopes.check serviceaccount
stored in some config setting like passing_dwd_scopes.The text was updated successfully, but these errors were encountered: