OIDC provider config doesn't work with Google

[foot]

• Might not work with gitlab either
• It does work with dex!

Solution might be to make list of scope configurable.

• Or --google-scopes etc rather than allowing a generic list of strings as we need to know the correct key to grab the groups from, e.g. "teams".

[ozamosi]

Is the thing that doesn't work just groups?

Because there is no scope that lets you grab groups from google. You'd need to do something like https://dexidp.io/docs/connectors/google/#fetching-groups-from-google which I don't think we should build into gitops.

[abayta]

I also found this error. I tried to use OIDC with Google auth and this is the message I get.

[adberger]

+1 for GitLab self-hosted, scope groups is missing there:
https://docs.gitlab.com/ee/integration/oauth_provider.html#authorized-applications

When trying to login with GitLab I get:
The requested scope is invalid, unknown, or malformed.

URL is:
https://gitlab.subdomain.tld/oauth/authorize?client_id=XXX&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2F&response_type=code&scope=profile+openid+email+groups&state=XXX

[parkedwards]

to share our experience - we're on Google for GKE and group-based RBAC in the cluster. these help us use flux safely across the team and not have to managed gnarly custom users/roles. but as we were setting up GitOps and excited about it, we tried the OIDC provider -> Google OAuth client, there's no way to grab and assume the group, which means none of our RoleBindings will apply. the end result is that only the admin user has permissions to the cluster, and all OIDC users do not