Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google without groups seems broken after #2530 #2670

Closed
3 tasks done
jonkerj opened this issue Sep 19, 2022 · 8 comments · Fixed by #2679
Closed
3 tasks done

Google without groups seems broken after #2530 #2670

jonkerj opened this issue Sep 19, 2022 · 8 comments · Fixed by #2679

Comments

@jonkerj
Copy link

jonkerj commented Sep 19, 2022
edited
Loading

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I am not looking for support or already pursued the available support channels without success.

Version

2.34.0

Storage Type

Kubernetes

Installation Type

Official Helm chart

Expected Behavior

I've upgraded dex from v2.33.0 to v2.34.0, and expected the Google connector to keep working.

Actual Behavior

Dex was crashlooping, complaining about adminEmail not being set. After setting adminEmail, there was something wrong with default application credentials.

Steps To Reproduce

  1. Install dex 2.34.0, configure Google according to the docs, without groups, serviceAccountFilePath or adminEmail

Additional Information

It is not really clear to me if this is an actual bug introduced by #2530, or a lack of documentation (which could have been part of #2530). The documentation suggest group/svc account is optional, but these errors suggest otherwise.

In other words: is using Google as a provider without group/svc account still supported?

Downgrading to v2.33.0 still works, so I am guessing it might be a bug.

Configuration

connectors:
- adminEmail: re@dact.ed
  config:
    clientID: $GOOGLE_CLIENT_ID
    clientSecret: $GOOGLE_CLIENT_SECRET
    redirectURI: https://re.dact.ed/callback
  hostedDomains:
  - hidden
  id: google
  name: Google
  type: google
issuer: https://dex.red.act.ed
staticClients:
- idEnv: CLIENT_OAUTH2_PROXY_ID
  name: OAuth2 Proxy
  redirectURIs:
  - https://foo.bar.red.act.ed/oauth2/callback
  secretEnv: CLIENT_OAUTH2_PROXY_SECRET
- idEnv: CLIENT_GRAFANA_ID
  name: Grafana
  redirectURIs:
  - https://grafana.red.act.ed/login/generic_oauth
  secretEnv: CLIENT_GRAFANA_SECRET
storage:
  config:
    inCluster: true
  type: kubernetes
web:
  http: 0.0.0.0:5556

Logs

time="2022-09-19T14:09:52Z" level=info msg="Dex Version: v2.34.0-dirty, Go Version: go1.19.1, Go OS/ARCH: linux amd64"
[..]
time="2022-09-19T14:09:52Z" level=info msg="config connector: google"
time="2022-09-19T14:09:52Z" level=info msg="config refresh tokens rotation enabled: true"
failed to initialize server: server: Failed to open connector google: failed to open connector: failed to create connector google: could not create directory service: directory service requires adminEmail
@bobcallaway bobcallaway mentioned this issue Sep 22, 2022
Merged
@sagikazarmark sagikazarmark mentioned this issue Oct 4, 2022
Merged
@jonkerj
Copy link
Author

jonkerj commented Oct 4, 2022
edited
Loading

@nabokihms and @sagikazarmark: I'm testing this with v2.35.1 (which contains both your fixes) and it still gives an error:

time="2022-10-04T12:49:43Z" level=info msg="Dex Version: v2.35.1-dirty, Go Version: go1.19.1, Go OS/ARCH: linux amd64"
[..]
time="2022-10-04T12:49:43Z" level=info msg="config connector: google"
time="2022-10-04T12:49:43Z" level=info msg="config refresh tokens rotation enabled: true"
time="2022-10-04T12:49:44Z" level=warning msg="the application default credential is used since the service account file path is not used"
failed to initialize server: server: Failed to open connector google: failed to open connector: failed to create connector google: could not create directory service: failed to fetch application default credentials: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.

@sagikazarmark
Copy link
Member

I can't see anything related to admin email here.

How do you configure default creds? could not find default credentials suggests the SDK can't find them.

@jonkerj
Copy link
Author

jonkerj commented Oct 6, 2022

How do you configure default creds? could not find default credentials suggests the SDK can't find them.

I'm using the config mentioned in the original post. I have not done anything with default credentials, just following the docs.

@jonkerj
Copy link
Author

jonkerj commented Oct 25, 2022
edited
Loading

As I can't reopen this issue and it is not fixed for me, should I open a new one?

@jonkerj
Copy link
Author

jonkerj commented Oct 25, 2022

After I have skimmed through the commits, I noticed a few commits (cadce3c, 9bcce63, 6a59f08) that could be related. So I fired off a build, and it seems current master does not have this bug.

@jonkerj
Copy link
Author

jonkerj commented Mar 22, 2023

This issue seems fixed with the release of v2.36.0

@sagikazarmark
Copy link
Member

It's partially fixed, but it's still broken when groups are required I believe.

@susguzman
Copy link

The version v2.36.0 worked for me !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix for issue 2670; check for no serviceAccountFilePath and no email bobcallaway/dex
3 participants
@jonkerj @sagikazarmark @susguzman