8

Disclaimer: https://console.cloud.google.com/support/community leads here. Google's documentation is horrific so giving this a whirl on the off chance that I don't get downvoted to the depths of dev/null

Out of impending necessity I am migrating a private application that monitors our Gmail accts to OAuth 2, and as part of this process it was necessary to create an OAuth consent screen. Since this application will only be used internally it makes the most sense to choose "Internal" for Application Type - which is described as follows:

Only users with a Google Account in your organization can grant access to the scopes requested by this app.

The users on this Project consist of two "owners" — myself using my personal Gmail acct, and another employee who is part of the company G Suite account.

My question is who qualifies as a "user in my organization"? Is this based on the project owners? Does my non-G-Suite account (which is an owner of the project) qualify? Does the inclusion of one member in a G Suite account automatically associated the other employee accounts? Is the anywhere to actually see these users or manage them directly?

I'd actually like to add another couple accounts to the mix but still keep the application private, but I'm confused about how Google determines which gmail accounts will be able to authorize the app.

UPDATE: To clarify, when I visit the consent page while logged in as a member of our G Suite on the same domain as the project owner, everything is fine. However, we have other members managed in the same G Suite account who are under a different domain and for these I get the message:

Error 403: org_internal This client is restricted to users within its organization.

Furthermore, I am not even able to grant access using my own email which is the creator and owner of the application. I'd like to know how I can add myself and the other G Suite members to be able to grant access to the application without making it public. It was suggested below that I add them (or their domain) to Google Cloud IAM but I'm unclear about how to get this working. My own email does already exist in IAM with role of "owner" and apparently that doesn't satisfy the requirement.

But those new buttons though..
  • 21,377
  • 10
  • 81
  • 108
  • The role `Owner` is a legacy role. This role does not have `all` permissions. The answer to how depends on how you have your account setup. If this is an `Organization` in the Google Cloud definition, then you need to add your IAM Member ID at the Organization level with the Organization Administrator role. – John Hanley Dec 18 '19 at 00:29
  • The description of Project Owner is "**Full access to all resources**" https://i.stack.imgur.com/ezHJX.png - also, this appl is fairly new, I'm not sure why this would be considered a legacy role – But those new buttons though.. Dec 18 '19 at 00:42
  • "*you need to add your IAM Member ID*" - as I mentioned in the question I used my personal Gmail account to set this up. I am not a member of the linked G Suite account. – But those new buttons though.. Dec 18 '19 at 00:47
  • G Suite is a source of identities and is NOT the only one. Please reread my comments and my answer. You can use your Gmail email address. You just need to place it at the correct level in the organization with the correct role. I will repeat - 1) Owner does not have all permissions in Google Cloud. There are permissions above Owner. 2) Owner can grant itself more permissions. https://cloud.google.com/resource-manager/docs/quickstart-organizations – John Hanley Dec 18 '19 at 01:01
  • Ok, I've added my personal email with the role "Organization Administrator" via IAM. I can now see I have access to all organization resources in the cloud console. However, the consent page still returns an error: "Authorization Error - Error 403: org_internal This client is restricted to users within its organization." – But those new buttons though.. Dec 18 '19 at 15:11

3 Answers3

6

In order for internal apps to be used for OAuth, the project must belong to the organization associated with the same GSuite customer as all the users.

non-GSuite accounts cannot be used by internal apps. There's more information about this here: https://support.google.com/cloud/answer/6158849#public-and-internal.

user2705223
  • 1,219
  • 6
  • 10
  • Thanks for the concise answer with authoritative reference. Unfortunately for me, it seems you are correct. Would be nice if google would make that more clear *on the consent configuration page itself*. Since it only says "*in your organization*", it leaves things ambiguous enough for me to waste lots of time trying various things via IAM (as suggested in other answers here). – But those new buttons though.. Dec 18 '19 at 22:38
4

Who is a member of my organization?

Anyone that you have added to Google Cloud IAM for a project, folder or at the organization level. This can include Google Accounts (Gmail email addresses), G Suite and Google Identity. The last two use a domain name (example.com) and anyone with an identity in that domain (someone@example.com).

Google's goal is to tighten up security for Google Cloud Platform. In the past anyone with a Google Accounts email address could use your projects OAuth to request access. The level of access is controlled by OAuth Scopes. Today, granting that access results in a Consent Screen with an unverified application warning. To get beyond (remove) that warning often requires a security audit of your application with a cost estimated at $75,000 USD.

How do I manage members?

Through Google Cloud IAM. You can add and remove members; assign and remove IAM roles attached to member IDs. Through G Suite or Google Identity by adding or removing member accounts. Don't forget that members can be part of a Google Group and part of a Domain each of which are also an identity in Google Cloud Platform.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Thanks John that's very helpful. I took a look at the IAM panel and I see it requires a *role* for each member — can you offer any guidance on what would be the most appropriate "role" when I only want to allow the OAuth consent and token to work for a given member? – But those new buttons though.. Dec 17 '19 at 21:55
  • Hi again John, it seems adding members to IAM doesn't actually allow them to grant access as desired. See my updated question. – But those new buttons though.. Dec 18 '19 at 00:17
  • @billynoah You are significantly changing the question. You do not grant permissions to applications. You provide a service account to an application and it needs to use that service account. Your applications are not members of Google Cloud IAM. Service Accounts are anther type of Google Cloud IAM Identity. Service Accounts are assigned to Google Cloud Services to grant that service IAM roles. I recommend reverting the question back to the one I answered and then create a new question regarding how to use Service Accounts with Google Cloud Services. – John Hanley Dec 18 '19 at 00:26
  • Unless I am misunderstanding your answer [here](https://stackoverflow.com/questions/55285369/google-cloud-oauth-authorization-error-this-client-is-restricted-to-users-withi), it seems as though I *can't* use my gmail account, despite designating it a role within the organization asset. If this is true, it somewhat contradicts the statement in your first paragraph. – But those new buttons though.. Dec 18 '19 at 15:00
1

For GSuite Users:

Cloud IAM only deals with authorisation you would need to handle authentication elsewhere. By default GSuite integrates with CloudIAM as a default authentication provider.

For Non-GSuite Users:

You can use cloud identity free edition but users will have to manage separate set of credentials.

Single Sign On without GSuite

If you want Single Sign On Option you can also use Google Cloud Directory Sync to sync with your on-premise Active Directory or LDAP server for authentication. So users can keep their login details.

That's how authentication works on GCP. As for authorisation you have CloudIAM where you can manage access through Predefined Roles, Primitive Roles and Custom Roles.

Cloud IAM and Authorisation

Typically you assign access using google groups and resource hierarchy to make it easier for you to manage user access. But bear in mind that if you grant an access to something through a ascenstor folder in resource hierarchy then you can't deny access downstream. So you need to plan access hierarchy accordingly.

To answer your question who qualifies as a "user in my organization"?, everyone can login but by default they cannot access any projects, it's resources or apis unless they are given access to either individually or through a group.

Hope this clarifies things for you a little.

Parth Mehta
  • 1,869
  • 5
  • 15
  • Thanks but I'm afraid most of that went over my head. I only want to manage which members are able to grant OAuth access to the application for use with the Gmail API, but I don't necessarily want them to be able to see or access the project in the cloud console. Which role is most appropriate for this purpose? – But those new buttons though.. Dec 17 '19 at 22:04
  • You don't need to provide any roles, no roles means no access. Gmail is part of GSuite family. If your question is OAuth centric then John's response is more relevant. My response relates to how you give access to Google Cloud Platform. – Parth Mehta Dec 17 '19 at 22:13
  • I did try without role but it seems to be required: https://i.stack.imgur.com/o7mUe.png – But those new buttons though.. Dec 17 '19 at 22:16
  • what are the available options in the drop down? – Parth Mehta Dec 17 '19 at 22:28
  • There are lots - 2574 different permissions to be precise. I can create a customer role but it won't allow me to create one with no permissions assigned. I suppose I could just do something hacky here but I'd rather not. I can't be the only person who needs to allow OAuth to members without granting them Cloud platform access. Here's some docs: https://cloud.google.com/iam/docs/permissions-reference – But those new buttons though.. Dec 17 '19 at 23:08
  • Are you trying to create a service account? If so you can create a custom role with no permission: https://stackoverflow.com/questions/55270838/create-a-custom-role-with-no-or-minimal-permissions. But reading from your description it appears that web applications OAuth 2 might be more suitable for your requirements. – Parth Mehta Dec 17 '19 at 23:21
  • No I don't think so... It's just as I said. OAuth2 is required to access our email. Therefore every member account in our organization needs to be able to visit the consent page in order to grant access. As far as I understand, this means I need to add them to the IAM since it is a private app. – But those new buttons though.. Dec 17 '19 at 23:52
  • "*reading from your description it appears that web applications OAuth 2 might be more suitable for your requirements*" - that is precisely how this is set up. – But those new buttons though.. Dec 17 '19 at 23:53
  • Oauth 2 consent screen allows to implement authentication layer on your apps but is not necessary to add your users to your organization. Since your application is internal, it only work with members of your project if you don't want to add members, you can add a role without permissions or make public your consent auth screen – Jan Hernandez Dec 18 '19 at 16:22