mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-02-10 03:12:20 +03:00
Google workspace group / role sync #4884
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @CdrMarks on GitHub (Jul 20, 2024).
Describe the feature you'd like
I would like a way to map a Google workspace group to a a Bookstack role to automate users being assigned certain roles.
No need for a UI for this. An array in my functions.php file to map groups to roles would be sufficient.
Describe the benefits this would bring to existing BookStack users
In Google workspace, I have configured users to be members of certain groups. This integration would allow me to define user/group membership once in Google and see that rolled out to bookstack.
Can the goal of this request already be achieved via other means?
It might be possible using the logical theme system and the APP_BOOT event by monitoring the callback payload, but I am not familiar with what the payload contains.
Have you searched for an existing open/closed issue?
How long have you been using BookStack?
Under 3 months
Additional context
No response
@ssddanbrown commented on GitHub (Jul 20, 2024):
Hi @CdrMarks,
Just to help me understand better, Are you using Google workspace for authentication?
If so, what authentication method/option are you using for this?
@CdrMarks commented on GitHub (Jul 20, 2024):
I am using the Social / Third Party method for authentication.
@ssddanbrown commented on GitHub (Jul 20, 2024):
@CdrMarks Do you intend all users to use (or have access to) this Google workspace auth option? (Are all your bookstack users part of the Google workspace?)
@CdrMarks commented on GitHub (Jul 20, 2024):
No, I do not (they are not).
My current plan was to have employees login with Google and non-employee contractors login using their an email address and password.
If all of my users did have an account within my Google workspace, what option(s) might be available?
@ssddanbrown commented on GitHub (Jul 20, 2024):
You could instead use OIDC/SAML which can provide a nicer single-sign-on experience while having support for group/role sync with the auth system (can't remember which Google supports groups with, but pretty sure it provides groups via SAML and/or OIDC).
Otherwise, I'm really not keen on extending out group sync support to our third party auth options officially within the core app.
Using the logical theme system it might be possible to watch for login events via google, then use Google APIs to look up the user details then get their group detail to then manually sync with BookStack roles.
@CdrMarks commented on GitHub (Jul 20, 2024):
I'll give OIDC and SAML a look. I had looked at those pages before implementing the Third Party option, but didn't see Google explicitly mentioned, so I wasn't aware OIDC/SAML might work too. If I'm able to get basic authentication working using one of those options, I'll open a PR to add to the docs.
@ssddanbrown commented on GitHub (Jul 20, 2024):
I've just updated the site so that the Google third-party auth docs now shows a notice about other options.
SAML2 looks best suited since Google is limited with group data over standard OIDC.
Otherwise, thanks for the offer of adding to the docs but I avoid adding vendor/service specific guidance to our docs since it's a pain to maintain. I instead prefer to do videos if it's a common scenario, since videos are not expected to be maintained to the same level, and are a snapshot in time.
@ssddanbrown commented on GitHub (Nov 28, 2024):
Since there's been no further follow-up, and since I'm not keen on adding service specific sync outside of the standards we support, I'll go ahead and close this off.