Google Apps SSO with service account fails with 403

Hi there,

I’ve followed the Google Single Sign-On doc but keep facing a 403 error when trying to log in with Google.

[lively-refuge-3621][2023-06-27 12:43:15,797][ERROR] Exception on /sso/callback [GET]
Traceback (most recent call last):
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/", line 2528, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/", line 1825, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/", line 1823, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/", line 1799, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/auth/", line 26, in _wrapped
    return call(*args, **kwargs)
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/handlers/", line 656, in sso_callback_get
    valid, google_groups = sso.verify_google(username)
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/sso/", line 42, in verify_google
    data = service.users().get(userKey=user_email).execute()
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/googleapiclient/", line 130, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/googleapiclient/", line 938, in execute
    raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 403 when requesting returned "Not Authorized to access this resource/api". Details: "[{'message': 'Not Authorized to access this resource/api', 'domain': 'global', 'reason': 'forbidden'}]">

I checked multiple times that:

  • The Admin SDK was correctly set up
  • The service account was correctly created with the right directory.users and directory.groups scopes and with domain-wide delegation on.
  • The JSON key file content was correctly pasted in Pritunl’s admin panel settings


  • I’m a Google Workspace admin and am trying to SSO log in Pritunl with my related admin account (the same way my non-admin coworkers will have to).
  • We don’t really use Google groups so I haven’t set up anything related to that
  • I tried to manually set the consent screen on Google’s side, no changes

Am I missing a setting on Google? (the problem seems to be there)

Found the issue: The “Google Admin Email” used in pritunl settings was missing the User Management Admin and Groups Reader roles on Google Workspace. Maybe worth adding this to the documentation?