Single Sign-On Authentication & Google auth check error

fmalykh · April 30, 2025, 6:49am

Hey
We have Single Sign-On Authentication enabled. This morning there was a failure to connect with the following log error:

[winter-plains-2389][2025-04-30 05:59:53,420][ERROR] Google auth check error
Traceback (most recent call last):
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/user/user.py", line 404, in sso_auth_check
    valid, google_groups = sso.verify_google(self.email)
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/sso/google.py", line 43, in verify_google
    results = service.groups().list(userKey=user_email,
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/googleapiclient/_helpers.py", line 130, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/googleapiclient/http.py", line 938, in execute
    raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 503 when requesting https://admin.googleapis.com/admin/directory/v1/groups?userKey=xxx%yyy&maxResults=200&alt=json returned "Service unavailable. Please try again". Details: "[{'message': 'Service unavailable. Please try again', 'domain': 'global', 'reason': 'backendError'}]">
  user_id   = "5f735575a3934ab0d4188060"
  user_name = "xxx@yyy"

Once disabled Single Single Sign-On Authentication , Pritunl client would require a PIN, but once entered the following error appeared:

[winter-plains-2389][2025-04-30 05:59:51,622][INFO] Authenticating user
  user_name = "xxx@yyy"
  factors   = ["google"]
[winter-plains-2389][2025-04-30 05:59:53,420][ERROR] Google auth check error
Traceback (most recent call last):
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/user/user.py", line 404, in sso_auth_check
    valid, google_groups = sso.verify_google(self.email)
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/sso/google.py", line 43, in verify_google
    results = service.groups().list(userKey=user_email,
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/googleapiclient/_helpers.py", line 130, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/lib/pritunl/usr/lib/python3.9/site-packages/googleapiclient/http.py", line 938, in execute
    raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 503 when requesting https://admin.googleapis.com/admin/directory/v1/groups?userKey=xxx%40yyy&maxResults=200&alt=json returned "Service unavailable. Please try again". Details: "[{'message': 'Service unavailable. Please try again', 'domain': 'global', 'reason': 'backendError'}]">
  user_id   = "5f735575a3934ab0d4188060"
  user_name = "xxx@yyy"

Enabling Bypass Secondary Authentication for a user along with Single Sign-On Authentication allowed to connect (not something that can be done quickly for hundreds of users). Would this be a proper quick workaround for such a case?

zach · May 1, 2025, 6:08pm

This is likely an outage with the Google API in your region. That command can be used to disable that check if there are issues. It should be enabled once the service is available again.