Google oAuth2 SSO / Role Mapper for Google GSuite Groups

I’m using Google SSO / OIDC / oAuth2 in Keycloak 7.0.1.
The default claims are

[0me[32m08:31:31,360 DEBUG [] (default task-229) User Profile JSON Data for provider google: 

“sub”: “108120107908467602929”,
“name”: “Robert”,
“given_name”: “Robert”,
“family_name”: “…”,
“picture”: “…”,
“email”: “robert@…”,
“email_verified”: true,
“locale”: “en-GB”,
“hd”: "…

We are using GSuite Groups. I would like to use the Keycloak Attribute Importer to Map Groups from Google to Keycloak roles.

I set the Default Scopes to “openid profile email
The consent screen in google also contains that scope.
The SSO Works using this setup, but the claims are the same in the response.
Is it possible to get additional claims via Configuration?

Seems like google would return it to use, when “include_granted_scopes=true” is Set.
Just have to figure out how to do it in keycloak.

Did you end up figuring this out?

Our conclusion is: won’t work with OIDC Google SSO, will need to switch to SAML
But it’s not implemented yet

In case you are still interested, we managed to get this working with OIDC.
This can’t be done via the UserInfo endpoint (even when the scope is provided) due to groups being part of the admin SDK.
We solved this by creating a protocol mapper that fetches and adds it to the claims. The protocol mapper will need to use the admin SDK and set up a service account to make the required API call.

@rajith77 thanks for asking.
This would have been the alternative. I wonder why this is not available in Keycloak by default for google SSO.

Fair point. I’m sure there must be other folks who are interested in the same.

1 Like

Hi, I am interested i this as well, is there any sample code I can learn from to create a protocol mapper?

Hello, @rajith77!
We also want to get additional details from Google (set as our IDP in Keycloak), for example, the Department field.
Will you be able to provide more details on the solution that you guys took?
Thank you in advance!