Unable to to able to authenticate with Google workspace SSO using OIDC connector setup

[oshati]

Expected behavior:
User should be able to authenticate to the Teleport cluster using SSO - Google OIDC connector

Current behavior:
The OIDC connector cannot get groups information from GCP, so tsh login failed as expected. Exchange of information doesn't seem to occur with Teleport.
All Prerequisites has been met and configurations as suggested in the documentation but issue persists.
https://goteleport.com/docs/enterprise/sso/google-workspace/

From a review of the debug logs, there appears to be a memory panic issue recorded with the below entry

http: panic serving 35.236.49.168:11090: runtime error: invalid memory address or nil pointer dereference

Bug details:

• Teleport version 10

• Recreation steps
  https://goteleport.com/docs/enterprise/sso/google-workspace/

• Debug logs
  Full debug logs and config files available internally.

gz#6250

[AndrewLeewis]

Adding context from the customer:

• The OIDC connector was the main reason for purchasing an enterprise license.
• Without the GSuite integration they are blocked from rolling it out to their team.

[espadolini]

@oshati Is it possible that the /var/lib/teleport/gworkspace-creds.json file as specified in the auth connector yaml is the JSON file for the OAuth Client ID rather than the JSON key file for the service account? The former (incorrect and not required) is like

{"web":{"client_id":"<redacted>.apps.googleusercontent.com","project_id":"<project name>","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_secret":"<redacted>"}}

while the latter (correct) one is like

{
  "type": "service_account",
  "project_id": "<project name>",
  "private_key_id": "<redacted>",
  "private_key": "-----BEGIN PRIVATE KEY-----<PRETTY BIG REDACTED>-----END PRIVATE KEY-----\n",
  "client_email": "<service account name>@<project name>.iam.gserviceaccount.com",
  "client_id": "<redacted number>",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/<service account name>%40<project name>.iam.gserviceaccount.com"
}

If that's the case, then the panic is caused by an unfortunate oversight of the golang.org/x/oauth2/google API, but we can turn it into a more understandable error - and we should probably also give an example of the contents of the correct JSON key file in the docs.

[cemdorst]

@espadolini I can confirm that updating the OIDC connector config fix the issue. Thanks!

[espadolini]

Solved by #16003; now you'll get a hard error in the auth logs stating google: read JWT from JSON credentials: 'type' field is "some_other_type" (expected "service_account") which should make it much easier to diagnose.