Enable group sync from Google Workplace (experimental)

This is experimental. The feature may change without notice.

To get started, configure Google login according to these instructions:

Then, follow these steps:

1. In the google dashboard for your OAuth integration, go to “APIs and Services”, and add "Admin SDK

   

   Screenshot 2022-05-11 at 18.13.091920×481 50.3 KB
   →
   

   Screenshot 2022-05-11 at 18.13.263014×962 193 KB
   →
   

   Screenshot 2022-05-11 at 18.29.403016×736 105 KB

2. Go to “IAM and Admin” → “Service Accounts” → “Create Service Account” and set up an account. The two optional steps are not required - skip through them.

   

   Screenshot 2022-09-19 at 16.50.501678×1378 271 KB

3. In the service account list, click into the newly created account, record the ‘unique id’ for later, then go to the “keys” tab. Create a new key with the “JSON” format and save the file for later.

4. Go to admin.google.com, and visit the ‘security’ section. Open ‘API Controls’, “Manage Third Party App Access”.then “Add App” ,“OAuth App Name or Client ID”. Enter the client ID of your OAuth application, then select it from the list. Run through the steps, making sure to set the application as “Trusted”. It should then appear in the list:

   

   Screenshot 2022-05-12 at 10.55.351920×675 53.4 KB

5. Go back to the ‘API Controls’ section, scroll down, and choose “Manage Domain Wide Delegation”. Choose “Add New”, and enter the client ID of the service account you created earlier. Under scopes, paste the value

   https://www.googleapis.com/auth/admin.directory.group.readonly
   

6. In your Discourse admin panel, go to the settings tab and search for ‘google oauth2 hd’. Configure the following settings:

   google oauth2 hd: the domain name of your Google Workspace

   google_oauth2_hd_groups_service_account_json: paste the contents of the service account key file you generated earlier

   google_oauth2_hd_groups_service_account_admin_email: enter the email address of any Google Workspace admin account. This identity will be used by the service account when fetching google group information

   google oauth2 hd groups: enabled

Next time a user logs in, Discourse will fetch and store google group information behind-the-scenes.

To link a Google Group to a Discourse group, visit the group config in Discourse, and go to the Manage → Membership section. Under ‘Automatic’, you’ll see a new dropdown which allows you to link any number of Google Groups to the Discourse group:

Screenshot 2022-05-12 at 10.48.282390×960 198 KB

Changes to this setting should take effect instantly. Changes to group membership on Google will take effect on the user’s next login.

Big thanks to @angus for his work on this feature. We hope to expand this group syncing system to other login methods in the not-too-distant future.

I’d love to use this with “generic oauth2” (for auth0 specifically). Is there another thread or a GitHub issue I can follow for this?

@david or @angus Can you please provide more details for item 6.

Blockquote google oauth2 hd: the domain name of your Google Workspace

1. Do you mean my domain (ebsp.org) that has a workspace account? Or actual domain of the workspace.
2. Is it just the URL?

Blockquote google_oauth2_hd_groups_service_account_json : paste the contents of the service account key file you generated earlier

Copy and paste the entire contents from the JSON?

@angus @david I have followed these directions the way they are laid out. I have thee box to search for a group, but no groups populate. Any thoughts?

Hi Charlie, the google oauth2 hd is from Google OIDC API (docs here). They say it is:

The domain associated with the Google Workspace or Cloud organization of the user

To give an example, if I was setting this up internally for our staff, I would set the value to discourse.org.

Yup!

Google groups will only appear in Discourse once a member of that group signs in to Discourse using google. We don’t have any system for listing them up-front.

@david I finally got it to work. I had to turn some things off. The way my site was set up, users were auto-logged in through Google Oauth. I turned that off and Discourse Connect and it worked. Unsure as to which was creating a disconnect. Once I physically logged in with Google, everything populated.