I want to use Google Workspace Group membership to control access to certain products. I have set up an Enterprise connector to our Google Workspace and selected the option to get Group membership data. I can see groups data coming through in the user context. For example I might see:
…
“family_name”: “Doe”,
“given_name”: “John”,
“groups”: [
“All Staff”,
“group-project-x”
],
…
I see there is a rule template that demonstrates how to restrict access based on group membership. But there seems to be a big security hole here. I’m hoping someone can advise me on how to plug it, or if I’m doing something wrong.
The issue is that in our company (like most I’m sure) multiple people are allowed to create and/or manage groups. As such they can set the name of their group to whatever they like. Google does not seem to mind groups with the same name. As long as the email for the group is unique, the name can be a duplicate. And it seems that what is presented in the “groups” array is the name rather than any group identifier.
Here is the scenario that worries me:
- I create a group called “group-project-x” and add authorized people to it as members
- I create a rule that checks if an authenticated user is a member of that group
- A colleague creates a group with the same name and adds a different set of people as members
- My colleague’s team can access my application because they appear to be in my “group-project-x” group even though they are not
I have tried this out for real and it is indeed the case - authorization is granted even though the user is not in the intended group. It is even worse for Active Directory (which I have also tried) because AD teams can include external guest users that can be authenticated against somebody else’s AD tenant. This means someone who doesn’t even work for my company can access my application because AD authenticates them and they appear to be in my group even though they are not. They just happen to be a guest in a Teams team (for example) with a name the same as my security group.
My question is, is there any way to get group ID instead of group name so that the rule can 100% check membership of the intended group? Or is there something else we can do, or should be doing, to make this more secure?
Many thanks in advance for any help you can provide.