-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[master issue] option to use custom IdP on browser extension #5311
Comments
For the last task, I think I need @sosnovsky and @martgil help. |
Could you try to build extension from master branch and test this situation? |
Yes, I'll test such situation. Probably it's possible to implement such ui test? |
UI test (for such case) was already added in previous PR I think.
|
Ah, I see, yes, seems to be similar to the described situation, then no need for separate test. |
How's this test going? |
Let me check |
Probably it's related to my local test configuration, not sure if it'll occur for real users, so let's not try to fix it for now. |
Today, the browser extension uses Google authentication / IdP for two purposes:
For the second usecase, it would be safer to use some other IdP if the customer has that option. That way, Google cannot forge authentication tokens and steal the keys from EKM. Today, to prevent the potential key theft from EKM by Google, customers have to either run EKM behind a firewall on internal network, or not run it at all.
Allowing a custom IdP for authenticating especially with EKM would allow us to run EKM for our customers, meaning easier deployment.
This will mean, on such deployments when custom IdP is configured, the user will have to authenticate twice during setup. Once with Google for Gmail API and permissions, and once again with the custom IdP. (there will be two authentication popups in sequence)
The steps would be:
OAuth
class #5316ConfiguredIdpOAuth
class #5318GoogleAuth
toGoogleOAuth
#5319GoogleAuthErr
andEnterpriseServerAuthErr
. When custom IdP is used and it isEnterpriseServerAuthErr
, we should be showingConfiguredIdpOauth
popup instead ofGoogleOAuth
popup #5801The text was updated successfully, but these errors were encountered: