[keycloak-user] Fetch user groups from Google IAM account

[Roland Tepp]

Hey,

Please bear with me as I am quite new at this stuff and I am still
struggling with getting to grips with all the terms and relationships in
Keycloak.

I am trying to set up Keycloak realm to use Google OIDC IDP and whole
setting up oidc login flow was rather straight forward, there are still few
things I can not figure out.

First - I want to limit set of users who can gain access to a single google
hosted domain.

The google identity token contains a claim called ‘hd’ but I can’t figure
out how can I use it to limit/restrict logins from other google hosted
domains.

I suppose it should be part of initial login flow, but I can’t really see
how or where should I configure this.

(Google oidc endpoint also supports  a proprietary argument with the same
name that should be used to restrict google account selection dialogue to
only the specified hosted domain, but again, I do not see where I can hard
code it’s value for an IDP authentication request)


Second. How do I get google domain groups for the authenticated users?

They are not returned as user claims in a token.  Google’s documentation
suggests I need to ask google directory services for that information.

Has anyone managed to integrate google hosted domains with Keycloak ad do
you have a recepie for how one can fetch google group memberships for
logged in users into Keycloak.?

Roland