feat: add option to use organization id for preferred username in Google Provider #3237
+185
−14
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pixeldrew
changed the title
pixeldrew
force-pushed
the
add-preferred-username-google
branch
from
b385f87 to
d539465
Compare
pixeldrew
force-pushed
the
add-preferred-username-google
branch
from
d539465 to
1a32885
Compare
tuunit
requested changes
Oct 28, 2025
tuunit
changed the title
pixeldrew
force-pushed
the
add-preferred-username-google
branch
3 times, most recently
from
7e82026 to
e73b0c2
Compare
pixeldrew
force-pushed
the
add-preferred-username-google
branch
4 times, most recently
from
c37d6b6 to
4b6d7a2
Compare
|
@pixeldrew please check the linting issues in the workflow or run make lint locally :) Rest looks good to me, after the linting issues are fixed this is ready to be merged |
Signed-off-by: Drew Foehn <drew@pixelburn.net>
pixeldrew
force-pushed
the
add-preferred-username-google
branch
from
596ab79 to
84f4021
Compare
fixed the linting issues and regenerated the docs again, apologies for the rework. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Google id token uses the google id as username. I have internal systems that the username should match employee id which is my mapped into my google workspace directory as "Organization Id". I needed to have a way to retrieve that and add it to a header as it's not in the id token either.
Motivation and Context
This allows a preferred username to be retrieved from the directory as "organization" id instead of google's user id. This is similar to how you might use MS Entra's onpremid to map to local AD usernames. I added a config change to enable this. If the user does not have an organization id mapped, the auth service will 500, i'm open to changing this behavior.
Due to the way the scope permissions are iterated over, it currently only works if you have both https://www.googleapis.com/auth/admin.directory.group.member.readonly and https://www.googleapis.com/auth/admin.directory.user.readonly.
Made the scope required for AdminApiUser as a config option.
How Has This Been Tested?
Tested locally and in production.
Checklist: