As per the documentation in Google workspace integration, the only way to achive it by generate a Service Account (json) key. and in some organization it’s forbidden due to security concerns.
Another approach is, to use default application credential (ref). Means it will use VM/Compute instance service account. so no SA account key will be generated and this can be an option to the user.
Just wondering, is there any roadmap for this feature ? or there is a concern if we implement it ?.
I’m happy to contribute to make this feature happen
That token appears to be for Google Cloud related services. The service account is used to access the directory listing in the Google Workspace to get a listing of the users groups to allow matching to existing Pritunl organizations. If group matching isn’t needed the Google JSON Private Key and Google Admin Email options can be left blank.
yes it’s needed (group matching) and in our org has policy for not to generate SA JSON private key due to potential security issue. And Pritunl is an exception since it’s limitation as i mentioned above.
There shouldn’t be any security issues with it, the key is scoped to read only access to the basic user profile information and group listing. Google Workspace isn’t designed as a single sign-on provider and it requires using those less common APIs.
