Feature:
Support transitive group membership in google workspace.
Description:
This can be done by requesting the following scope during google workspace integration:
https://www.googleapis.com/auth/cloud-identity.groups.readonly
Then call this API to get the transitive groups:
More details included in this guide: Querying group memberships | Cloud Identity | Google Cloud
Currently auth0 only requests these scopes:
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
And then calls this API which only returns immediate groups:
Use-case:
For example User A is a member of Group A, and Group A is a member of Group B, the transitive groups of User A are Group A and Group B. Currently auth0 only returns Group A.
Customers who integrate their google workspace get confused when they don’t have access due to missing a transitive group. This forces them to register permissions on immediate groups, which increases number configurations. This is not a good experience and can hit scaling issues if the number of immediate groups is too large.
