Google SSO login Issues

After Configuring Google SSO for login, The google login is working in some cases and in other cases it gives error "The Window was closed before completing Google Authentication".

Diagnostic Info:
{
"browser-info": {
"language": "en-GB",
"platform": "MacIntel",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36",
"vendor": "Google Inc."
},
"system-info": {
"file.encoding": "UTF-8",
"java.runtime.name": "OpenJDK Runtime Environment",
"java.runtime.version": "11.0.10+9",
"java.vendor": "AdoptOpenJDK",
"java.vendor.url": "https://adoptopenjdk.net/",
"java.version": "11.0.10",
"java.vm.name": "OpenJDK 64-Bit Server VM",
"java.vm.version": "11.0.10+9",
"os.name": "Linux",
"os.version": "4.4.0-1122-aws",
"user.language": "en",
"user.timezone": "GMT"
},
"metabase-info": {
"databases": [
"mysql",
"postgres",
"athena",
"h2"
],
"hosting-env": "unknown",
"application-database": "h2",
"application-database-details": {
"database": {
"name": "H2",
"version": "1.4.197 (2018-03-18)"
},
"jdbc-driver": {
"name": "H2 JDBC Driver",
"version": "1.4.197 (2018-03-18)"
}
},
"run-mode": "prod",
"version": {
"date": "2021-02-16",
"tag": "v0.38.0",
"branch": "release-x.38.x",
"hash": "471aa51"
},
"settings": {
"report-timezone": null
}
}
}

Hi @Sahil
Make sure that third-party cookies isn’t blocked. Check the browser developer console.
This can be caused by adblockers too, so check the settings for those.

@flamber thanks, it worked in my case.

Is there any option to disable login via email and password after enabling google sso ?

Hi @Sahil
If the account is created automatically at login, then there won't be a password login available for that account.
Only the Enterprise Edition has an option to disable password logins.

Hi @flamber, could you explain why I should enable third party cookies to connect to Metabase with google ? I never enable third party cookies anywhere and never had any issue to log in anywhere, and if you ask me, third party cookies should never be enabled anywhere.

@metabas Because the login comes from a popup window, and Metabase is using SameSite=Lax, which browsers now are much more strict about.
We might move to a page-redirect instead of popup, but that is a lot of work too.

From my perspective, as a Metabase user, it's not so important why this is not working. I would like to see the experienced problem solved. I don't want to enable 3rd party cookies for I value my privacy. And I want to use Metabase. Whether SameSite=Lax should be used or it can be replaced with a different technique is outside of the scope of the reported problem from the users' perspective here, honestly.

Additionally, in our company, we've received complaints from employees using OSX, Linux, Windows, on several different browsers, latest versions, incognito windows, disabling all plugins, etc. Metabase is effectively unusable for ANYONE who hasn't gone through the "forgot my password" to fallback to email based login instead of SSO. Actually, no matter what the 3rd party cookies settings people have, it's just not working at all (it used to work for some up to 2-3 months ago).

Now, given that the situation is where it is, and it is not priority of Metabase to fix it - can you please instruct us how to disable SSO altogether? Right now, it would reduce the complaints and help our employees to use the email based login, but we've already set-up Google SSO, and in the administration tab for it, deleting the "Client ID" makes it impossible to save the changes.

OK, if was able to fix it by intercepting network traffic when saving the empty ClientID to see that the empty string was not accepted by the Metabase server side. Then I replayed the request changing the JSON of HTTP request body to set the client ID to be null instead of "" and resent the request.

curl 'https://analytics.my-company.com/api/setting' -X PUT -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_6) *****' -H 'Accept: application/json' -H 'Accept-Language: en-US' -H 'Accept-Encoding: gzip, deflate, br' -H 'Content-Type: application/json' -H 'Connection: keep-alive' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -H 'TE: trailers' --data-raw '{"google-auth-client-id":null,"google-auth-auto-create-accounts-domain":null}'

ofc, i redacted the sensitive headers

@flamber I've run into the same issue after signing up for a cloud trial. I agree the SSO is not really fit for purpose (on a paid plan) as echoing maricn's comments, users do not expect to have to jump through hoops to login with Google (it's meant to be easier!).

That said I'm fine with email auth....but I can't disable Google Sign In from my admin panel.

If I strip out my App ID I get this:

Invalid Google Sign-In Client ID: must end with ".apps.googleusercontent.com"

Can you please advise how Google SSO can be disabled in a cloud account, as I'm now stuck with something I can't present users as they'll attempt to login with Google. (Can't find anything in the docs)

@kdobson I've added instructions here on how to remove settings:
https://github.com/metabase/metabase/issues/20442


@maricn
There are many, many thousands of Metabase installations, and a lot with Google Sign-in enabled.
I have never heard of that problem, and I run all my browsers with highest privacy levels and I can still login to all my instances (without any cookie changes), so something tells me that it must be a different problem, but without exact details, then it will be impossible to reproduce or figure out how to solve.

Thank you - apologies I missed the CURL post in the thread; I've run the fetch in console and all good.