How to fetch Groups for G Suite Users?

Hi!

I’m currently testing out Auth0 with a G Suite Enterprise Connection against our testing G Suite domain. I’ve also added an SSO application with OpenID in one of our applications for testing the login itself.

While the Enterprise Connection itself works I’ve been unable to set it up so that a Users’ groups are included in OpenID data.

From previous topics in this community, it appears that some kind of Google Admin scopes needs to be set for the Google Consent Screen page, but it’s unclear exactly which scopes these are:

At most, it just says

the Google Admin scopes have to be added on the consent screen stage

without going into any further detail exactly which scopes these are.

Just like the person in the above second link I’ve tested with the following two scopes enabled in Google’s console, but without any changes in the OpenID response:

  • https://www.googleapis.com/auth/admin.reports.audit.readonly
  • https://www.googleapis.com/auth/admin.reports.usage.readonly

I’ve already enabled Groups as an Extended Attribute in the Auth0 Connection’s configuration page, so nothing more should have to be done from the Auth0 end.

Does anyone know which scopes need to be set so that Auth0 can fetch User’s groups from G Suite?

Hey @BenjaminSimonsson, Posting here as well for more visibility:

Series of steps which worked for me, please execute them in order below:

Gsuite Account:

  • Configure the Gsuite account, I configured my self as the domain administrator for the gsuite account.
  • In the developer console register the application to be used with the Gsuite connection.
  • For Groups information you will need to enable the Google Admin SDK API in the developer console for the application.

I think you are familiar with all the steps above.

Next on Auth0 Tenant:

  • Create a Gsuite enterprise connection.
  • Enter the fields with domain, client Id and secret obtained from developer console of google, select Groups from Extended attributes, Create the connection , once connection is created there is a setup tab which will come up in the connection, have attached a screen shot for reference.

  • This is the important part, in the setup tab, if you are the domain administrator click continue
  • Once you click continue, it will take your to domain administrator login page for google Gsuite account.

  • Once you login, it will ask for the view groups authorisation, have attached the screen shot, Once domain admin will allow it, authorisation will be successful

  • Once the authorisation is successful you can enable the Gsuite login in your app, and should be able to see groups property in User profile after a new login attempt.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.