[Doco] excessive GSuite delegation scope

[SP3269]

The https://www.googleapis.com/auth/admin.directory.group.member.readonly scope is not needed to query group membership. Remove from the doco?

[stevvooe]

@SP3269 Did you run it successfully with the reduced scope? The docs aren't super clear on the difference.

[SP3269]

Agree, the documentation is suboptimal!

Ok, this is not only the doco change. In the gsuite/grouper.go:73, the admin.directory.group.member.readonly if specifically requested:

config, err := google.JWTConfigFromJSON(b, admin.AdminDirectoryGroupMemberReadonlyScope, admin.AdminDirectoryGroupReadonlyScope)

The Members function is using only one directory API of the G Suite Admin SDK - Members: list. Per Google documentation, that requires one of the scopes:

• https://www.googleapis.com/auth/admin.directory.group.member.readonly
• https://www.googleapis.com/auth/admin.directory.group.member
• https://www.googleapis.com/auth/admin.directory.group.readonly
• https://www.googleapis.com/auth/admin.directory.group

Previously, we only used https://www.googleapis.com/auth/admin.directory.group.readonly for similar purpose integrating Spinaker and Artifactory with G Suite, thus raising this issue.

Should I send PR?

[stevvooe]

Should I send PR?

Yea, that's fine but I don't have a good way to test this.

[stevvooe]

@SP3269 I've added this to the 1.2 milestone, so we'll get it fixed in the release after next. I'll be releasing 1.1 in short order, so we'll have to wait on that one.

Thanks for pushing this one forward!