Use service account credentials for fetching google hd groups (#18329)

The previous implementation would attempt to fetch groups using the end-user's Google auth token. This only worked for admin accounts, or users with 'delegated' access to the `admin.directory.group.readonly` API. This commit changes the approach to use a single 'service account' for fetching the groups. This removes the need to add permissions to all regular user accounts. I'll be updating the [meta docs](https://meta.discourse.org/t/226850) with instructions on setting up the service account. This is technically a breaking change in behavior, but the existing implementation was marked experimental, and is currently unusable in production google workspace environments.
2025-06-02 14:25:08 +08:00 · 2022-10-13 16:04:42 +01:00
parent 45f93ae75d
commit e0a6d12c55
10 changed files with 196 additions and 199 deletions
--- a/spec/models/associated_group_spec.rb
+++ b/spec/models/associated_group_spec.rb
@ -14,6 +14,8 @@ RSpec.describe AssociatedGroup do
    SiteSetting.enable_google_oauth2_logins = true
    SiteSetting.google_oauth2_hd = 'domain.com'
    SiteSetting.google_oauth2_hd_groups = false
+    SiteSetting.google_oauth2_hd_groups_service_account_admin_email = "test@example.com"
+    SiteSetting.google_oauth2_hd_groups_service_account_json = "{}"
    expect(described_class.has_provider?).to eq(false)

    SiteSetting.google_oauth2_hd_groups = true