https://www.gooddata.com/ logo
Join Slack
Powered by
Hi, I'm having an issue configuring OIDC using Goo...
# gooddata-cloud
c
Hi, I'm having an issue configuring OIDC using Google and 
oauthSubjectIdClaim=email
. My goal is to use email address as the user identifier. When I set 
"oauthSubjectIdClaim": "name"
and then set my user's 
authenticationId
to be my Google profile name, everything works perfectly. However, when I set 
"oauthSubjectIdClaim": "email"
and then set my user's 
authenticationId
to be my Google email, I get 401 and the error 
"Token does not contain email claim."
. Has anyone had success configuring Google as the IDP ?
i
Hi Cian, Could you kindly double-check if the email claim is really provided in the ID token of your Google IdP?
b
Hi Cian, from this document in google devs it seems that email needs to be explicitly added to the request scope in google
c
Yes, I came to the conclusion that this is the issue - the necessary scope is not passed. And I'm assuming there is no way to configure this ?
b
I would assume that it's possible to configure it, but it needs to be done on google side... as to where and how, I am not really sure...
c
Its configured correctly on the Google side, I can get the email when I'm calling it myself. I think the problem is that when calling from GoodData only openid + profile scopes are passed, rather than all the standard scopes - openid + profile + email. I haven't been able to verify this on my side though.
b
I see what you mean & you are right. GoodData only requests openid & profile scope. I guess I can discuss with our developers the possibilities. But could you elaborate why it's required to have email as user ID? Usually the sub claim is sufficient (although it might not be as straightforward to extract it as user email). Another option would be to pass the email under one of the other attributes, but it might require some mapping mechanism.
c
I think this requirement is particular to using Google Workspace as the IDP for internal users, since the employee email is the simplest for us to map to users in gooddata to their google accounts. The sub claim as you mentioned isn't as easy to extract.
p
🎉 New note created.
b
Hi Cian, currently there are no plans to implement this in the near future, but I've passed the feedback to our product team for consideration But it might be possible to add custom claims in google, which could theoretically be a solution for you. Described here: https://medium.com/google-cloud/adding-custom-roles-to-jwt-on-login-with-google-identity-platform-476cd15301d9
Open in Slack
PreviousNext
Powered by