Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow selection of limited service account DwD scopes #1671

Open
jay0lee opened this issue Jan 2, 2024 · 5 comments
Open

Allow selection of limited service account DwD scopes #1671

jay0lee opened this issue Jan 2, 2024 · 5 comments
Assignees

Comments

@jay0lee
Copy link
Member

jay0lee commented Jan 2, 2024

Today GAM expects users to authorize all scopes it uses for Domain-wide delegation (DwD). This is less than ideal if an admin wants to limit GAM's permissions to only certain scopes and API calls.

While admins can selectively add/remove scopes on the DwD page in the admin console which GAM links to, GAM still tries to use all the scopes it knows about for a given Google API when requesting a DwD access token which will fail if the admin removed scopes.

Possible solution:

  1. On check serviceaccount GAM should write scopes that PASS to it's config file. Something like passing_dwd_scopes.
  2. On DwD API call, GAM should:
  • get list of scopes the API endpoint uses. Note that this list can be problematic. In some cases, only one of the given scopes is required, in others more than one is required to enable all functionality of the API call. (Classroom API is like this). Also note some APIs like Chat (at least at one point) may not list scopes per API endpoint. In this case we'd need to fall back on the full list of scopes supported by the API itself (e.g. the scopes for Gmail API instead of the scopes listed for Gmail API's delegates.create endpoint)
  • get list of scopes that have PASSed check serviceaccount stored in some config setting like passing_dwd_scopes.
  • Only use scopes in both of these lists. If the resulting diff is empty (no scopes shared between both lists) then fall back to default scopes for the given API endpoint.
@jay0lee jay0lee self-assigned this Jan 2, 2024
@taers232c
Copy link
Contributor

taers232c commented Jan 2, 2024 via email

@jay0lee
Copy link
Member Author

jay0lee commented Oct 3, 2024

Ross, suppose I wanted a GAM install that can list devices read-only but nothing else. I don't think we support using a scope like:

https://www.googleapis.com/auth/cloud-identity.devices.readonly

today?

@jay0lee
Copy link
Member Author

jay0lee commented Oct 3, 2024

@jay0lee
Copy link
Member Author

jay0lee commented Oct 3, 2024

Maybe we need to move check serviceaccount to something closer to create oauth where admin can pick which scopes they want? Today GAM claims it's a FAIL that it doesn't have access to specific DwD scopes but that's a perfectly valid scenario if the admin just wants to use some limited scopes and it's not good that they might authorize far more scopes than they really need.

@taers232c
Copy link
Contributor

update serviceaccount does this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants