Metabase Google SSO Broken - Bad Request

jconant · November 18, 2020, 11:12pm

As of a today (possibly yesterday, 11/17/2020) we are no longer able to authenticate with our self-hosted Metabase instance via Google SSO. We’ve never had any problems in the past, but all of a sudden it fails now for all users. I have tried downgrading from 0.37.2 to 0.37.0.2 to see if it was possibly something tweaked recently. It does not appear to be the case, however, as the logins fail with the same error messages. I am not familiar with the output of clojure errors, so apologies if the problem / solution are obvious.

Additionally, if there is further information that would be helpful I am happy to grab that.

Here is a copy of the Metabase logs when a login is attempted (I had to remove some of the duplicated errors in the middle because of size-constraints on this post:

2020-11-18 23:01:08,158 ERROR middleware.log :: POST /api/session/google_auth 500 65.2 ms (0 DB calls)
{:object
 {:cached nil,
  :request-time 63,
  :repeatable? false,
  :protocol-version {:name "HTTP", :major 1, :minor 1},
  :streaming? true,
  :http-client #object[org.apache.http.impl.client.InternalHttpClient 0x26ea80f4 "org.apache.http.impl.client.InternalHttpClient@26ea80f4"],
  :chunked? true,
  :type :clj-http.client/unexceptional-status,
  :reason-phrase "Bad Request",
  :headers
  
  # EDIT -- same errors as below, removed because of post-size constraints
  
  },
 :trace
 [[slingshot.support$stack_trace invoke "support.clj" 199]
  [clj_http.client$exceptions_response invokeStatic "client.clj" 243]
  [clj_http.client$exceptions_response invoke "client.clj" 234]
  [clj_http.client$wrap_exceptions$fn__23456 invoke "client.clj" 252]
  [clj_http.client$wrap_accept$fn__23667 invoke "client.clj" 729]
  [clj_http.client$wrap_accept_encoding$fn__23674 invoke "client.clj" 751]
  [clj_http.client$wrap_content_type$fn__23661 invoke "client.clj" 712]
  [clj_http.client$wrap_form_params$fn__23760 invoke "client.clj" 953]
  [clj_http.client$wrap_nested_params$fn__23781 invoke "client.clj" 987]
  [clj_http.client$wrap_flatten_nested_params$fn__23790 invoke "client.clj" 1011]
  [clj_http.client$wrap_method$fn__23728 invoke "client.clj" 887]
  [clj_http.cookies$wrap_cookies$fn__22859 invoke "cookies.clj" 131]
  [clj_http.links$wrap_links$fn__23283 invoke "links.clj" 63]
  [clj_http.client$wrap_unknown_host$fn__23798 invoke "client.clj" 1040]
  [clj_http.client$request_STAR_ invokeStatic "client.clj" 1168]
  [clj_http.client$request_STAR_ invoke "client.clj" 1161]
  [clj_http.client$post invokeStatic "client.clj" 1186]
  [clj_http.client$post doInvoke "client.clj" 1182]
  [clojure.lang.RestFn invoke "RestFn.java" 410]
  [metabase.api.session$do_google_auth invokeStatic "session.clj" 333]
  [metabase.api.session$do_google_auth invoke "session.clj" 330]
  [metabase.api.session$fn__71076 invokeStatic "session.clj" 354]
  [metabase.api.session$fn__71076 invoke "session.clj" 346]
  [compojure.core$wrap_response$fn__1993 invoke "core.clj" 160]
  [compojure.core$wrap_route_middleware$fn__1977 invoke "core.clj" 132]
  [compojure.core$wrap_route_info$fn__1982 invoke "core.clj" 139]
  [compojure.core$wrap_route_matches$fn__1986 invoke "core.clj" 151]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$wrap_route_matches$fn__1986 invoke "core.clj" 153]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$wrap_route_matches$fn__1986 invoke "core.clj" 152]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$wrap_route_matches$fn__1986 invoke "core.clj" 153]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$wrap_route_matches$fn__1986 invoke "core.clj" 152]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$wrap_route_matches$fn__1986 invoke "core.clj" 153]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$wrap_route_matches$fn__1986 invoke "core.clj" 152]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005 invoke "core.clj" 200]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005 invoke "core.clj" 200]
  [compojure.core$make_context$handler__2033 invoke "core.clj" 287]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 296]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 297]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [metabase.api.routes$fn__72978$fn__72980 invoke "routes.clj" 73]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005 invoke "core.clj" 200]
  [clojure.lang.AFn applyToHelper "AFn.java" 160]
  [clojure.lang.AFn applyTo "AFn.java" 144]
  [clojure.core$apply invokeStatic "core.clj" 665]
  [clojure.core$apply invoke "core.clj" 660]
  [metabase.routes$fn__74306$fn__74307 doInvoke "routes.clj" 60]
  [clojure.lang.RestFn invoke "RestFn.java" 436]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005 invoke "core.clj" 200]
  [compojure.core$make_context$handler__2033 invoke "core.clj" 287]
  [compojure.core$make_context$fn__2035 invoke "core.clj" 296]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$wrap_route_matches$fn__1986 invoke "core.clj" 153]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$wrap_route_matches$fn__1986 invoke "core.clj" 153]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [compojure.core$wrap_route_matches$fn__1986 invoke "core.clj" 153]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005$f__2006$respond_SINGLEQUOTE___2007 invoke "core.clj" 197]
  [metabase.routes$fn__74294$fn__74296 invoke "routes.clj" 44]
  [compojure.core$routes$fn__2005$f__2006 invoke "core.clj" 198]
  [compojure.core$routes$fn__2005 invoke "core.clj" 200]
  [metabase.middleware.exceptions$catch_uncaught_exceptions$fn__72969 invoke "exceptions.clj" 96]
  [metabase.middleware.exceptions$catch_api_exceptions$fn__72966 invoke "exceptions.clj" 84]
  [metabase.middleware.log$log_api_call$fn__74754$fn__74755 invoke "log.clj" 197]
  [toucan.db$_do_with_call_counting invokeStatic "db.clj" 216]
  [toucan.db$_do_with_call_counting invoke "db.clj" 209]
  [metabase.middleware.log$log_api_call$fn__74754 invoke "log.clj" 191]
  [metabase.middleware.security$add_security_headers$fn__72932 invoke "security.clj" 143]
  [metabase.middleware.json$wrap_json_body$fn__74457 invoke "json.clj" 64]
  [metabase.middleware.json$wrap_streamed_json_response$fn__74475 invoke "json.clj" 100]
  [ring.middleware.keyword_params$wrap_keyword_params$fn__75020 invoke "keyword_params.clj" 55]
  [ring.middleware.params$wrap_params$fn__75036 invoke "params.clj" 69]
  [metabase.middleware.misc$maybe_set_site_url$fn__37860 invoke "misc.clj" 59]
  [metabase.middleware.session$bind_current_user$fn__69411$fn__69412 invoke "session.clj" 278]
  [metabase.middleware.session$do_with_current_user invokeStatic "session.clj" 260]
  [metabase.middleware.session$do_with_current_user invoke "session.clj" 252]
  [metabase.middleware.session$bind_current_user$fn__69411 invoke "session.clj" 277]
  [metabase.middleware.session$wrap_current_user_info$fn__69398 invoke "session.clj" 238]
  [metabase.middleware.session$wrap_session_id$fn__69384 invoke "session.clj" 184]
  [metabase.middleware.auth$wrap_api_key$fn__72865 invoke "auth.clj" 27]
  [ring.middleware.cookies$wrap_cookies$fn__74940 invoke "cookies.clj" 216]
  [metabase.middleware.misc$add_content_type$fn__37845 invoke "misc.clj" 28]
  [metabase.middleware.misc$disable_streaming_buffering$fn__37868 invoke "misc.clj" 76]
  [ring.middleware.gzip$wrap_gzip$fn__74982 invoke "gzip.clj" 86]
  [metabase.middleware.misc$bind_request$fn__37871 invoke "misc.clj" 93]
  [metabase.middleware.ssl$redirect_to_https_middleware$fn__74771 invoke "ssl.clj" 39]
  [metabase.server$async_proxy_handler$fn__74532 invoke "server.clj" 72]
  [metabase.server.proxy$org.eclipse.jetty.server.handler.AbstractHandler$ff19274a handle nil -1]
  [org.eclipse.jetty.server.handler.HandlerWrapper handle "HandlerWrapper.java" 127]
  [org.eclipse.jetty.server.Server handle "Server.java" 516]
  [org.eclipse.jetty.server.HttpChannel lambda$handle$1 "HttpChannel.java" 383]
  [org.eclipse.jetty.server.HttpChannel dispatch "HttpChannel.java" 556]
  [org.eclipse.jetty.server.HttpChannel handle "HttpChannel.java" 375]
  [org.eclipse.jetty.server.HttpConnection onFillable "HttpConnection.java" 273]
  [org.eclipse.jetty.io.AbstractConnection$ReadCallback succeeded "AbstractConnection.java" 311]
  [org.eclipse.jetty.io.FillInterest fillable "FillInterest.java" 105]
  [org.eclipse.jetty.io.ChannelEndPoint$1 run "ChannelEndPoint.java" 104]
  [org.eclipse.jetty.util.thread.strategy.EatWhatYouKill runTask "EatWhatYouKill.java" 336]
  [org.eclipse.jetty.util.thread.strategy.EatWhatYouKill doProduce "EatWhatYouKill.java" 313]
  [org.eclipse.jetty.util.thread.strategy.EatWhatYouKill tryProduce "EatWhatYouKill.java" 171]
  [org.eclipse.jetty.util.thread.strategy.EatWhatYouKill run "EatWhatYouKill.java" 129]
  [org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread run "ReservedThreadExecutor.java" 375]
  [org.eclipse.jetty.util.thread.QueuedThreadPool runJob "QueuedThreadPool.java" 773]
  [org.eclipse.jetty.util.thread.QueuedThreadPool$Runner run "QueuedThreadPool.java" 905]
  [java.lang.Thread run nil -1]],
 :cause "clj-http: status 400",
 :data
 {:object
  {:cached nil,
   :request-time 63,
   :repeatable? false,
   :protocol-version {:name "HTTP", :major 1, :minor 1},
   :streaming? true,
   :http-client #object[org.apache.http.impl.client.InternalHttpClient 0x26ea80f4 "org.apache.http.impl.client.InternalHttpClient@26ea80f4"],
   :chunked? true,
   :type :clj-http.client/unexceptional-status,
   :reason-phrase "Bad Request",
   :headers
   {"Server" "ESF",
    "Content-Type" "application/json; charset=UTF-8",
    "X-Content-Type-Options" "nosniff",
    "Alt-Svc" "h3-Q050=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-T051=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"",
    "X-Frame-Options" "SAMEORIGIN",
    "Connection" "close",
    "Pragma" "no-cache",
    "Transfer-Encoding" "chunked",
    "Expires" "Mon, 01 Jan 1990 00:00:00 GMT",
    "Date" "Wed, 18 Nov 2020 23:01:07 GMT",
    "Vary" ["Origin" "X-Origin" "Referer"],
    "X-XSS-Protection" "0",
    "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate"},
   :orig-content-encoding "gzip",
   :status 400,
   :length -1,
   :body "{\n  \"error_description\": \"Invalid Value\"\n}\n",
   :trace-redirects []},
  :environment
  {req {:url "https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=null", :request-method :post, :flatten-nested-keys (:query-params)},
   p__23451
   {:cached nil,
    :request-time 63,
    :repeatable? false,
    :protocol-version {:name "HTTP", :major 1, :minor 1},
    :streaming? true,
    :http-client #object[org.apache.http.impl.client.InternalHttpClient 0x26ea80f4 "org.apache.http.impl.client.InternalHttpClient@26ea80f4"],
    :chunked? true,
    :reason-phrase "Bad Request",
    :headers
    {"Server" "ESF",
     "Content-Type" "application/json; charset=UTF-8",
     "X-Content-Type-Options" "nosniff",
     "Alt-Svc" "h3-Q050=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-T051=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"",
     "X-Frame-Options" "SAMEORIGIN",
     "Connection" "close",
     "Pragma" "no-cache",
     "Transfer-Encoding" "chunked",
     "Expires" "Mon, 01 Jan 1990 00:00:00 GMT",
     "Date" "Wed, 18 Nov 2020 23:01:07 GMT",
     "Vary" ["Origin" "X-Origin" "Referer"],
     "X-XSS-Protection" "0",
     "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate"},
    :orig-content-encoding "gzip",
    :status 400,
    :length -1,
    :body "{\n  \"error_description\": \"Invalid Value\"\n}\n",
    :trace-redirects []},
   map__23452
   {:cached nil,
    :request-time 63,
    :repeatable? false,
    :protocol-version {:name "HTTP", :major 1, :minor 1},
    :streaming? true,
    :http-client #object[org.apache.http.impl.client.InternalHttpClient 0x26ea80f4 "org.apache.http.impl.client.InternalHttpClient@26ea80f4"],
    :chunked? true,
    :reason-phrase "Bad Request",
    :headers
    {"Server" "ESF",
     "Content-Type" "application/json; charset=UTF-8",
     "X-Content-Type-Options" "nosniff",
     "Alt-Svc" "h3-Q050=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-T051=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"",
     "X-Frame-Options" "SAMEORIGIN",
     "Connection" "close",
     "Pragma" "no-cache",
     "Transfer-Encoding" "chunked",
     "Expires" "Mon, 01 Jan 1990 00:00:00 GMT",
     "Date" "Wed, 18 Nov 2020 23:01:07 GMT",
     "Vary" ["Origin" "X-Origin" "Referer"],
     "X-XSS-Protection" "0",
     "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate"},
    :orig-content-encoding "gzip",
    :status 400,
    :length -1,
    :body "{\n  \"error_description\": \"Invalid Value\"\n}\n",
    :trace-redirects []},
   resp
   {:cached nil,
    :request-time 63,
    :repeatable? false,
    :protocol-version {:name "HTTP", :major 1, :minor 1},
    :streaming? true,
    :http-client #object[org.apache.http.impl.client.InternalHttpClient 0x26ea80f4 "org.apache.http.impl.client.InternalHttpClient@26ea80f4"],
    :chunked? true,
    :reason-phrase "Bad Request",
    :headers
    {"Server" "ESF",
     "Content-Type" "application/json; charset=UTF-8",
     "X-Content-Type-Options" "nosniff",
     "Alt-Svc" "h3-Q050=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-T051=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"",
     "X-Frame-Options" "SAMEORIGIN",
     "Connection" "close",
     "Pragma" "no-cache",
     "Transfer-Encoding" "chunked",
     "Expires" "Mon, 01 Jan 1990 00:00:00 GMT",
     "Date" "Wed, 18 Nov 2020 23:01:07 GMT",
     "Vary" ["Origin" "X-Origin" "Referer"],
     "X-XSS-Protection" "0",
     "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate"},
    :orig-content-encoding "gzip",
    :status 400,
    :length -1,
    :body "{\n  \"error_description\": \"Invalid Value\"\n}\n",
    :trace-redirects []},
   status 400,
   data
   {:cached nil,
    :request-time 63,
    :repeatable? false,
    :protocol-version {:name "HTTP", :major 1, :minor 1},
    :streaming? true,
    :http-client #object[org.apache.http.impl.client.InternalHttpClient 0x26ea80f4 "org.apache.http.impl.client.InternalHttpClient@26ea80f4"],
    :chunked? true,
    :type :clj-http.client/unexceptional-status,
    :reason-phrase "Bad Request",
    :headers
    {"Server" "ESF",
     "Content-Type" "application/json; charset=UTF-8",
     "X-Content-Type-Options" "nosniff",
     "Alt-Svc" "h3-Q050=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000,h3-T051=\":443\"; ma=2592000,h3-Q046=\":443\"; ma=2592000,h3-Q043=\":443\"; ma=2592000,quic=\":443\"; ma=2592000; v=\"46,43\"",
     "X-Frame-Options" "SAMEORIGIN",
     "Connection" "close",
     "Pragma" "no-cache",
     "Transfer-Encoding" "chunked",
     "Expires" "Mon, 01 Jan 1990 00:00:00 GMT",
     "Date" "Wed, 18 Nov 2020 23:01:07 GMT",
     "Vary" ["Origin" "X-Origin" "Referer"],
     "X-XSS-Protection" "0",
     "Cache-Control" "no-cache, no-store, max-age=0, must-revalidate"},
    :orig-content-encoding "gzip",
    :status 400,
    :length -1,
    :body "{\n  \"error_description\": \"Invalid Value\"\n}\n",
    :trace-redirects []}}},
 :message "clj-http: status 400",
 :type clojure.lang.ExceptionInfo}

2020-11-18 23:01:13,432 DEBUG middleware.log :: GET /api/user/current 401 271.6 µs (0 DB calls)
"Unauthenticated"

flamber · November 19, 2020, 9:27am

Hi @jconant
My first guess is that someone perhaps deleted the project with the Client ID from your Google Console.
Or perhaps it was connected to a Google user, which has been deleted?
Make sure that the ID configured in Metabase > Admin > Authentication > Google Sign-in is valid and exists in your Google Console.

jconant · November 19, 2020, 1:54pm

Hi @flamber,

Thanks for the follow up. It’s possible that some user was deactivated without my knowledge that was involved in the setup, I’m not sure just yet.

One thing that is unclear to me is where the single sign-in key is supposed to be setup. The docs on Metabase instruct me to go to google cloud console, which doesn’t really make sense to me because we don’t manage our company gmail access through google cloud - we manage it through Google Workspace (formerly G-Suite). There is no link between our google cloud (for hosting purposes) account and our Google Workspace account which handles all of our normal auth, email, etc. Is there something I’m missing here?

flamber · November 19, 2020, 1:59pm

@jconant Google Sign-in is not the same as Gmail. And it’s managed through Google Console.
If you search Google’s own documentation, then you’ll see that’s exactly how it’s supposed to be used.
For reference: https://www.metabase.com/docs/latest/administration-guide/10-single-sign-on.html#enabling-google-sign-in

jconant · November 19, 2020, 3:13pm

Maybe I’m missing something conceptually here… but how does creating an application in Google Cloud have anything to do with a directory service of users I want to grant access to Metabase? Our Google Cloud account has no concept of our directory of users, so I’m not clear how setting up an integration between that account and Metabase would actually do anything.

jconant · November 19, 2020, 3:15pm

Maybe some further clarification would help.

We have a Google Cloud account that we use to host a few applications. These applications are not accessed via any “Google Sign On” functionality. They are just a couple of web-apps with their own authn/authz.

We also have our Google Workspace account that we use for all of our employees. Gmail, Drive, etc. We also use it as a directory service / IDP to sign-in to other vendor services we use, i.e. Datadog. We were using this to login to Metabase as well, but it seems something changed from under our feet and that’s what’s breaking now.

flamber · November 19, 2020, 3:21pm

@jconant I think you question is better directed at Google. If you can show me where in G-Suite/Workspace you can activate Google Sign-in, then please do.
Google Cloud is not the same as Google Developer Console, which is what Google Sign-in requires.