Enable group sync from Google Workplace (experimental)

:warning: This is experimental. The feature may change without notice.

To get started, configure Google login according to these instructions:

Then, follow these steps:

  1. In the google dashboard for your OAuth integration, go to “APIs and Services”, and add "Admin SDK

  2. Go to “IAM and Admin” → “Service Accounts” → “Create Service Account” and set up an account. The two optional steps are not required - skip through them.

  3. In the service account list, click into the newly created account, record the ‘unique id’ for later, then go to the “keys” tab. Create a new key with the “JSON” format and save the file for later.

  4. Go to admin.google.com, and visit the ‘security’ section. Open ‘API Controls’, “Manage Third Party App Access”.then “Add App” ,“OAuth App Name or Client ID”. Enter the client ID of your OAuth application, then select it from the list. Run through the steps, making sure to set the application as “Trusted”. It should then appear in the list:

  5. Go back to the ‘API Controls’ section, scroll down, and choose “Manage Domain Wide Delegation”. Choose “Add New”, and enter the client ID of the service account you created earlier. Under scopes, paste the value

    https://www.googleapis.com/auth/admin.directory.group.readonly
    
  6. In your Discourse admin panel, go to the settings tab and search for ‘google oauth2 hd’. Configure the following settings:

    google oauth2 hd: the domain name of your Google Workspace

    google_oauth2_hd_groups_service_account_json: paste the contents of the service account key file you generated earlier

    google_oauth2_hd_groups_service_account_admin_email: enter the email address of any Google Workspace admin account. This identity will be used by the service account when fetching google group information

    google oauth2 hd groups: enabled

Next time a user logs in, Discourse will fetch and store google group information behind-the-scenes.

To link a Google Group to a Discourse group, visit the group config in Discourse, and go to the ManageMembership section. Under ‘Automatic’, you’ll see a new dropdown which allows you to link any number of Google Groups to the Discourse group:

Changes to this setting should take effect instantly. Changes to group membership on Google will take effect on the user’s next login.

Big thanks to @angus for his work on this feature. We hope to expand this group syncing system to other login methods in the not-too-distant future.

6 Likes

I’d love to use this with “generic oauth2” (for auth0 specifically). Is there another thread or a GitHub issue I can follow for this?

1 Like