Hi there,
I’ve followed the Google Single Sign-On doc but keep facing a 403 error when trying to log in with Google.
[lively-refuge-3621][2023-06-27 12:43:15,797][ERROR] Exception on /sso/callback [GET]
Traceback (most recent call last):
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py", line 2528, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py", line 1825, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py", line 1823, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/flask/app.py", line 1799, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/auth/app.py", line 26, in _wrapped
return call(*args, **kwargs)
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/handlers/sso.py", line 656, in sso_callback_get
valid, google_groups = sso.verify_google(username)
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/sso/google.py", line 42, in verify_google
data = service.users().get(userKey=user_email).execute()
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/googleapiclient/_helpers.py", line 130, in positional_wrapper
return wrapped(*args, **kwargs)
File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/googleapiclient/http.py", line 938, in execute
raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://admin.googleapis.com/admin/directory/v1/users/sebastien.dan%40toposware.com?alt=json returned "Not Authorized to access this resource/api". Details: "[{'message': 'Not Authorized to access this resource/api', 'domain': 'global', 'reason': 'forbidden'}]">
I checked multiple times that:
- The Admin SDK was correctly set up
- The service account was correctly created with the right
directory.usersanddirectory.groupsscopes and with domain-wide delegation on. - The JSON key file content was correctly pasted in Pritunl’s admin panel settings
Notes:
- I’m a Google Workspace admin and am trying to SSO log in Pritunl with my related admin account (the same way my non-admin coworkers will have to).
- We don’t really use Google groups so I haven’t set up anything related to that
- I tried to manually set the consent screen on Google’s side, no changes
Am I missing a setting on Google? (the problem seems to be there)