Empty groups pulled from Google IdP; Kubernetes direct from docker image; in memory #4245

Smuger · 2025-07-30T11:47:21Z

Smuger
Jul 30, 2025

Hi Everyone,

Problem:

time=2025-07-30T11:06:47.319Z level=INFO msg="login successful" connector_id=google username="John Smith" preferred_username="" email=john.smith@example.com groups=[] request_id=osdam31p-38f5-4984-9b71-po450wakoew0

For some reason the groups=[] is empty and the Google group assigned to the user is ignored. Everyone with a domain matching the config can login and

I followed this tutorial: https://dexidp.io/docs/connectors/google/ but also checked how argocd is doing this since I'm trying to achieve something very similar: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/google/ . https://docs.skyscrapers.eu/kubernetes/authentication/#google this tutorial is good too

Dex container logs

time=2025-07-30T11:38:37.600Z level=INFO msg="Version info" dex_version=v2.43.1 go.version=go1.24.3 go.os=linux go.arch=amd64
time=2025-07-30T11:38:37.600Z level=INFO msg="config using log level" level=DEBUG
time=2025-07-30T11:38:37.600Z level=INFO msg="config issuer" issuer=https://app.example.com/dex
time=2025-07-30T11:38:37.600Z level=INFO msg="config storage" storage_type=memory
time=2025-07-30T11:38:37.600Z level=INFO msg="config static client" client_name=app
time=2025-07-30T11:38:37.600Z level=INFO msg="config connector" connector_id=google
time=2025-07-30T11:38:37.600Z level=INFO msg="config skipping approval screen"
time=2025-07-30T11:38:37.600Z level=INFO msg="config refresh tokens rotation" enabled=true
time=2025-07-30T11:38:37.698Z level=INFO msg="keys expired, rotating"
time=2025-07-30T11:38:37.793Z level=INFO msg="keys rotated" next_rotation=2025-07-30T17:38:37.793Z
time=2025-07-30T11:38:37.793Z level=INFO msg="listening on" server=http address=0.0.0.0:5556

Google setup

OAuth 2.0 Client (with correct /dex/callback authorized URIs)
GCP Service Account with
- only the scope: https://www.googleapis.com/auth/admin.directory.group.readonly
- Domain-Wide Delegation assigned
- admin.googleapis.com api enabled
- john.smith@example.com has Groups Reader role assigned

I can also see that the service account is not called as its metrics report no activity

Kubernetes setup:

In a Kubernetes cluster I have:
OAuth2-proxy -> Dex -> Google IdP

For some technical reasons I prefer to not install it as a helm chart

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .Values.service.name }}-dex
  namespace: {{ .Values.namespace }}
spec:
  replicas: 1
  revisionHistoryLimit: 1
  selector:
    matchLabels:
      app: {{ .Values.service.name }}-dex
  template:
    metadata:
      labels:
        app: {{ .Values.service.name }}-dex
    spec:
      containers:
        - name: dex
          image: "ghcr.io/dexidp/dex:v2.43.1"
          imagePullPolicy: IfNotPresent
          args:
            - dex
            - serve
            - /etc/dex/cfg/config.yaml
          env:
            - name: GOOGLE_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.service.name }}-dex-google-client-id
                  key: value
            - name: GOOGLE_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.service.name }}-dex-google-client-secret
                  key: value
            - name: OAUTH2_PROXY_CLIENT_SECRET
              value: "TEMP_KEY" # This is just temporary 
          ports:
            - name: http
              containerPort: 5556
              protocol: TCP
            - name: grpc
              containerPort: 5557
              protocol: TCP
          volumeMounts:
            - name: dex-config
              mountPath: /etc/dex/cfg
              readOnly: true
            - name: dex-service-account
              mountPath: /etc/dex/service-account
              readOnly: true
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 200m
              memory: 256Mi
      volumes:
        - name: dex-config
          configMap:
            name: {{ .Values.service.name }}-dex-config
        - name: dex-service-account
          secret:
            secretName: {{ .Values.service.name }}-dex-google-service-account-key
            items:
              - key: value
                path: secret.json
---
apiVersion: v1
kind: Service
metadata:
  name: {{ .Values.service.name }}-dex
  namespace: {{ .Values.namespace }}
spec:
  ports:
    - name: http
      port: 5556
      targetPort: 5556
      protocol: TCP
    - name: grpc
      port: 5557
      targetPort: 5557
      protocol: TCP
  selector:
    app: {{ .Values.service.name }}-dex
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ .Values.service.name }}-dex-config
  namespace: {{ .Values.namespace }}
data:
  config.yaml: |
    issuer: https://{{ .Values.service.name }}.{{ .Values.global.domain }}/dex
    
    storage:
      type: memory
    
    web:
      http: 0.0.0.0:5556

    logger:
      level: debug
      format: text
    
    connectors:
    - type: google
      id: google
      name: Google
      config:
        clientID: $GOOGLE_CLIENT_ID
        clientSecret: $GOOGLE_CLIENT_SECRET
        fetchTransitiveGroupMembership: True
        claimMapping:
          - groups: https://www.googleapis.com/auth/admin.directory.group.readonly
        redirectURI: https://{{ .Values.service.name }}.{{ .Values.global.domain }}/dex/callback
        hostedDomains:
          - example.com
        serviceAccountFilePath: /etc/dex/service-account/secret.json
        domainToAdminEmail:
          example.com: john.smith@example.com
        groups:
          - security@example.com
        scopes:
          - openid
          - email
          - profile
          - https://www.googleapis.com/auth/admin.directory.group.readonly

    oauth2:
      skipApprovalScreen: true
    
    staticClients:
    - id: {{ .Values.service.name }}
      redirectURIs:
      - 'https://{{ .Values.service.name }}.{{ .Values.global.domain }}/oauth2/callback'
      name: '{{ .Values.service.name | title }}'
      secret: TEMP_KEY # This is just temporary

thanks!

Smuger · 2025-07-30T13:43:26Z

Smuger
Jul 30, 2025
Author

Problem fixed. My Oauth2-proxy config was missing groups

so I changed:

- --scope=openid profile email

to

- --scope=openid profile email groups

now it works!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Empty groups pulled from Google IdP; Kubernetes direct from docker image; in memory #4245

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Empty groups pulled from Google IdP; Kubernetes direct from docker image; in memory #4245

Uh oh!

Uh oh!

Smuger Jul 30, 2025

Problem:

For some reason the groups=[] is empty and the Google group assigned to the user is ignored. Everyone with a domain matching the config can login and

Dex container logs

Google setup

Kubernetes setup:

Replies: 1 comment

Uh oh!

Smuger Jul 30, 2025 Author

Smuger
Jul 30, 2025

Smuger
Jul 30, 2025
Author