Hi,
After upgrading from a rather old version 1.29.2664.67 to the latest one I started seeing the following error in logs:
[patient-thunder-2545][2022-04-08 08:54:36,406][ERROR] Exception on /sso/callback [GET]
Traceback (most recent call last):
File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 2073, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 1518, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 1516, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 1502, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/auth/app.py", line 26, in _wrapped
return call(*args, **kwargs)
File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/handlers/sso.py", line 655, in sso_callback_get
valid, google_groups = sso.verify_google(username)
File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/sso/google.py", line 42, in verify_google
data = service.users().get(userKey=user_email).execute()
File "/usr/lib/pritunl/lib/python3.8/site-packages/googleapiclient/_helpers.py", line 131, in positional_wrapper
return wrapped(*args, **kwargs)
File "/usr/lib/pritunl/lib/python3.8/site-packages/googleapiclient/http.py", line 922, in execute
resp, content = _retry_request(
File "/usr/lib/pritunl/lib/python3.8/site-packages/googleapiclient/http.py", line 190, in _retry_request
resp, content = http.request(uri, method, *args, **kwargs)
File "/usr/lib/pritunl/lib/python3.8/site-packages/oauth2client/transport.py", line 159, in new_request
credentials._refresh(orig_request_method)
File "/usr/lib/pritunl/lib/python3.8/site-packages/oauth2client/client.py", line 749, in _refresh
self._do_refresh_request(http)
File "/usr/lib/pritunl/lib/python3.8/site-packages/oauth2client/client.py", line 819, in _do_refresh_request
raise HttpAccessTokenRefreshError(error_msg, status=resp.status)
oauth2client.client.HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.
[patient-thunder-2545][2022-04-08 08:54:36,406][ERROR] Exception on /sso/callback [GET]
Traceback (most recent call last):
File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 2073, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 1518, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 1516, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 1502, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/auth/app.py", line 26, in _wrapped
return call(*args, **kwargs)
File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/handlers/sso.py", line 655, in sso_callback_get
valid, google_groups = sso.verify_google(username)
File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/sso/google.py", line 42, in verify_google
data = service.users().get(userKey=user_email).execute()
File "/usr/lib/pritunl/lib/python3.8/site-packages/googleapiclient/_helpers.py", line 131, in positional_wrapper
return wrapped(*args, **kwargs)
File "/usr/lib/pritunl/lib/python3.8/site-packages/googleapiclient/http.py", line 922, in execute
resp, content = _retry_request(
File "/usr/lib/pritunl/lib/python3.8/site-packages/googleapiclient/http.py", line 190, in _retry_request
resp, content = http.request(uri, method, *args, **kwargs)
File "/usr/lib/pritunl/lib/python3.8/site-packages/oauth2client/transport.py", line 159, in new_request
credentials._refresh(orig_request_method)
File "/usr/lib/pritunl/lib/python3.8/site-packages/oauth2client/client.py", line 749, in _refresh
self._do_refresh_request(http)
File "/usr/lib/pritunl/lib/python3.8/site-packages/oauth2client/client.py", line 819, in _do_refresh_request
raise HttpAccessTokenRefreshError(error_msg, status=resp.status)
oauth2client.client.HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.
I have poked around versions a bit and the last version that works and doesn’t break is 1.30.3001.35. Any version after that breaks Google SSO.
The service account used for this hasn’t been changed. I see in Google Workspace logs that the authentication was successful but the application crashes after receiving the response from Google.
Any ideas on how to proceed?
Thank you!