I'm develop a go application with offers SSO with Google Workspace, using OIDC/OAuth2.
While login works fine, I have no issues.
I also implement an additional check to validate, if a users is inside a specific group.
To do that, I'm using the groups.memberships.searchDirectGroups method from Cloud Identity API. As query, I'm using member_key_id == 'member_key_id_value'. For member_key_id_value I'm using the email, given by the email claim from the users id_token. For accessing the API, I'm using the access token from the user.
The procedure works fine for internal users. But for external users, imported via SAML sync, it wont work.
I figure out, that for external users, member_key_id isn't the email of the user. While the email is [email protected], the member key is [email protected].
However, the id_token nor the userinfo endpoint doesn't provide the member_key_id of a user.
Does someone have an idea, how I could use the Cloud Identity API with external users?
The alternative cloud be the Directory API from the Admin SDK. But I'm unable to access it.