Google SSO stopped working

peltast · April 8, 2022, 9:09am

Hi,

After upgrading from a rather old version 1.29.2664.67 to the latest one I started seeing the following error in logs:

[patient-thunder-2545][2022-04-08 08:54:36,406][ERROR] Exception on /sso/callback [GET]
Traceback (most recent call last):
  File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 2073, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 1518, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 1516, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 1502, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/auth/app.py", line 26, in _wrapped
    return call(*args, **kwargs)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/handlers/sso.py", line 655, in sso_callback_get
    valid, google_groups = sso.verify_google(username)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/sso/google.py", line 42, in verify_google
    data = service.users().get(userKey=user_email).execute()
  File "/usr/lib/pritunl/lib/python3.8/site-packages/googleapiclient/_helpers.py", line 131, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/googleapiclient/http.py", line 922, in execute
    resp, content = _retry_request(
  File "/usr/lib/pritunl/lib/python3.8/site-packages/googleapiclient/http.py", line 190, in _retry_request
    resp, content = http.request(uri, method, *args, **kwargs)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/oauth2client/transport.py", line 159, in new_request
    credentials._refresh(orig_request_method)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/oauth2client/client.py", line 749, in _refresh
    self._do_refresh_request(http)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/oauth2client/client.py", line 819, in _do_refresh_request
    raise HttpAccessTokenRefreshError(error_msg, status=resp.status)
oauth2client.client.HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.
[patient-thunder-2545][2022-04-08 08:54:36,406][ERROR] Exception on /sso/callback [GET]
Traceback (most recent call last):
  File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 2073, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 1518, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 1516, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 1502, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/auth/app.py", line 26, in _wrapped
    return call(*args, **kwargs)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/handlers/sso.py", line 655, in sso_callback_get
    valid, google_groups = sso.verify_google(username)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/sso/google.py", line 42, in verify_google
    data = service.users().get(userKey=user_email).execute()
  File "/usr/lib/pritunl/lib/python3.8/site-packages/googleapiclient/_helpers.py", line 131, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/googleapiclient/http.py", line 922, in execute
    resp, content = _retry_request(
  File "/usr/lib/pritunl/lib/python3.8/site-packages/googleapiclient/http.py", line 190, in _retry_request
    resp, content = http.request(uri, method, *args, **kwargs)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/oauth2client/transport.py", line 159, in new_request
    credentials._refresh(orig_request_method)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/oauth2client/client.py", line 749, in _refresh
    self._do_refresh_request(http)
  File "/usr/lib/pritunl/lib/python3.8/site-packages/oauth2client/client.py", line 819, in _do_refresh_request
    raise HttpAccessTokenRefreshError(error_msg, status=resp.status)
oauth2client.client.HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

I have poked around versions a bit and the last version that works and doesn’t break is 1.30.3001.35. Any version after that breaks Google SSO.

The service account used for this hasn’t been changed. I see in Google Workspace logs that the authentication was successful but the application crashes after receiving the response from Google.

Any ideas on how to proceed?

Thank you!

zach · April 8, 2022, 7:58pm

The scope https://www.googleapis.com/auth/admin.directory.user.readonly has always been included in the documentation. It wasn’t used until a recent update, if the scope is missing it will need to be added.

peltast · April 11, 2022, 8:45am

Thank you for your answer @zach I can confirm that both scopes listed in the documentation are in place. I am using the same service account for another Pritunl setup and that one is working just fine with the latest version of Pritunl.

peltast · May 4, 2022, 2:16pm

@zach I just performed an upgrade of the same system to the latest version but the error is still there. I can confirm that all the necessary scopes are in place as I have a slightly older installation on another server that needs those privileges too and that one runs just fine.

b3cft · May 10, 2022, 4:51pm

I also have this same issue/error message.

I’m currently running the free trial, but this feature is one of the selling points for replacing our existing service.

All permissions are granted as per the documentation.

zach · May 10, 2022, 6:14pm

It’s possible other options were configured incorrectly, there’s no known issue with Google single sign-on. A tutorial is available in the Google single sign-on documentation.

b3cft · May 10, 2022, 7:48pm

The only difference I can find is in
Click Show domain-wide delegation then select Enable Google Workspace Domain-wide Delegation. Set the Product name to Pritunl then click Save.
section there is no option to Enable Google Workspace Domain-wide Delegation However I can go into the Google Workspace API Controls and enable Domain-wide Delegation there.

This does work with other tools that use Domain Wide Delegation, such as the the GYB and GAM projects.

b3cft · May 11, 2022, 12:32pm

So I have managed to get it working, so all good now.

The error was because I’d used a mailing list as the contact user, which didn’t have admin rights to administer the workspace account.