Is it possible to get user group membership from Google Cloud Identity Aware Proxy generated token

Question

I would like to add user groups membership information to JWT token generated from Identity Aware Proxy.

We could handle this by calling Directory API from our applications after getting user identifier by decoding JWT token, but we need to configure Service Account with GSuite Domain Delegation and then manually configure GSuite Security to allow this account to call Directory API.

I don't want to perform all these steps for all my applications, and ideally, I would like to avoid implementing an Authorization Server when IAP looks to have access to all data I need.

Ideally, we would like to add group membership (GSuite information) to JWT token generated from IAP and let our application get Groups by decoding the token.

Do you think it is possible ? If not, what is the best way to retrieve user group membership by using IAP ?

Thank you :)

Answer 1

I don't think there's an alternative to another GSuite API call since IAP itself doesn't contain a means of requesting additional scopes in its OAuth request to Google.

I had a related question where I wanted additional profile information from IAP and received this answer from IAP engineer Matthew Sachs:

...if IAP provided a way to a) specify additional scopes in its OAuth request to Google, and if it then b) passed additional claims from the OIDC token into the IAP JWT, you'd be able to configure IAP to request the "profile" scope. However, IAP currently only requests the "email" and "openid" scopes, and doesn't have a mechanism for specifying additional scopes.