Document limitations with the Google OIDC connector and transitive group memberships #11422
Conversation
There was a problem hiding this comment.
It's not clear to me why this note should have the starting/ending point that it does. I think it would be clearer to break the "Configuring Google Workspace" H2 into H3-level sections.
The first could be a "Configure Google group permissions" (or similar) section that rephrases the the six paragraphs after the "Configuring Google Workspace" heading into a set of instructions.
Then we can change each bullet point into an H3-level heading so this organization is clearer. For example, the "Create a new project" bullet would instead be a "### Create a new project" H3 heading, then the first line in that section would be a sentence saying, "Next, create a new project."
What do you think? I'm also happy to implement this suggestions as a PR against your branch if that's easier for you.
| @@ -54,6 +54,22 @@ fetching just the groups with direct membership is also supported. The preferred | |||
| behavior is selected depending on the OAuth scopes granted to the service | |||
| account associated with the connector. | |||
|
|
|||
| <Admonition type="note"> | |||
| Because of an inherent limitation in Google APIs, fetching transitive groups | |||
| requires view permissions on all transitive groups that users belong to; as | |||
There was a problem hiding this comment.
| requires view permissions on all transitive groups that users belong to; as | |
| requires view permissions on all transitive groups that users belong to. As |
|
The initial part of "Configuring Google Workspace" is currently also acting as an implicit "choose which mode of operation you want" step; it would be better if we made it more explicit - especially if we also tied it into the "upgrade" instructions that are currently kind of awkwardly placed at the end of "Create an OIDC connector". Given my mediocre technical writing skills we'd probably be better off if you implemented those changes - feel free to just push to this PR rather than opening up a new one about it, my only goal was to have something documented about this weird behavior that we've discovered before more customers stumble upon it inadvertently, but from what I've seen, configuring the google workspace connector is still kind of a pain point so we should probably document it better. |
ptgott
force-pushed
the
espadolini/google-oidc-defeat
branch
2 times, most recently
from
dd92937 to
c240fb4
Compare
- Organize the Google OIDC guide into steps. This required removing the header from the oidcauthentication.mdx partial. - Use H3s for the "Configure Google Workspace" H2 - Add an explanation of the Workspace APIs
ptgott
force-pushed
the
espadolini/google-oidc-defeat
branch
from
c240fb4 to
c427742
Compare
Co-authored-by: Paul Gottschling <[email protected]>
…oup memberships (#11422) * Document limitations with Google OIDC * Reorganize the Google OIDC API instructions - Organize the Google OIDC guide into steps. This required removing the header from the oidcauthentication.mdx partial. - Use H3s for the "Configure Google Workspace" H2 - Add an explanation of the Workspace APIs * Fix inaccuracies * PR suggestions Co-authored-by: Paul Gottschling <[email protected]>
…oup memberships (#11422) * Document limitations with Google OIDC * Reorganize the Google OIDC API instructions - Organize the Google OIDC guide into steps. This required removing the header from the oidcauthentication.mdx partial. - Use H3s for the "Configure Google Workspace" H2 - Add an explanation of the Workspace APIs * Fix inaccuracies * PR suggestions Co-authored-by: Paul Gottschling <[email protected]>
…oup memberships (#11422) * Document limitations with Google OIDC * Reorganize the Google OIDC API instructions - Organize the Google OIDC guide into steps. This required removing the header from the oidcauthentication.mdx partial. - Use H3s for the "Configure Google Workspace" H2 - Add an explanation of the Workspace APIs * Fix inaccuracies * PR suggestions Co-authored-by: Paul Gottschling <[email protected]>
…oup memberships (#11422) * Document limitations with Google OIDC * Reorganize the Google OIDC API instructions - Organize the Google OIDC guide into steps. This required removing the header from the oidcauthentication.mdx partial. - Use H3s for the "Configure Google Workspace" H2 - Add an explanation of the Workspace APIs * Fix inaccuracies * PR suggestions Co-authored-by: Paul Gottschling <[email protected]>
Closes #10635, albeit unsatisfactorily.