Google SSO - not working, but no error

AccurateHamilton · August 31, 2020, 12:07pm

Hi, me again…

Upon successfully figuring out the certificates issue, I proceeded to next task, getting Google SSO configured. I followed the instructions here, and it seems to work in that the login screen now gives me a “Sign in with Google” button, and I can select my account.

But then nothing happens, it doesn’t redirect anywhere. I don’t see any errors in the console log where I launched MB, nor in the logs under “Troubleshooting”, nor in the web console during the login.

If I try to manually navigate to a URL, like “https:///auto/dashboard/table/8” (which works for the admin account), the web console shows a 401 unauthorized message, so I guess the authorization never happened.

Possibly related - I’ve tried adding the domain to the “Allow users to sign up on their own if their Google account email address is from:” box, but I’m not sure if it’s getting stored. Each time I click the “save changes” button, the box comes back empty and I’m not sure how to verify it was saved correctly. But there is no error in the logs, so I assume it worked

Any hints on how to track this down? Thanks very much for your help!

Diag info:

{
  "browser-info": {
    "language": "en-US",
    "platform": "Linux x86_64",
    "userAgent": "Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0",
    "vendor": ""
  },
  "system-info": {
    "file.encoding": "UTF-8",
    "java.runtime.name": "OpenJDK Runtime Environment",
    "java.runtime.version": "1.8.0_265-8u265-b01-0ubuntu2~18.04-b01",
    "java.vendor": "Private Build",
    "java.vendor.url": "http://java.oracle.com/",
    "java.version": "1.8.0_265",
    "java.vm.name": "OpenJDK 64-Bit Server VM",
    "java.vm.version": "25.265-b01",
    "os.name": "Linux",
    "os.version": "4.15.0-1039-aws",
    "user.language": "en",
    "user.timezone": "Etc/UTC"
  },
  "metabase-info": {
    "databases": [
      "h2",
      "bigquery"
    ],
    "hosting-env": "unknown",
    "application-database": "h2",
    "application-database-details": {
      "database": {
        "name": "H2",
        "version": "1.4.197 (2018-03-18)"
      },
      "jdbc-driver": {
        "name": "H2 JDBC Driver",
        "version": "1.4.197 (2018-03-18)"
      }
    },
    "run-mode": "prod",
    "version": {
      "tag": "v0.36.4",
      "date": "2020-08-17",
      "branch": "release-0.36.x",
      "hash": "196c1f6"
    },
    "settings": {
      "report-timezone": null
    }
  }
}

flamber · August 31, 2020, 3:23pm

Hi @AccurateHamilton
Check your browser developer console during login to see possible problems with the sign-in process.
Make sure that your Admin > Settings > Site URL is correct, as well as the protocol+domain you input on the Google Console.
There’s a known issue with the Admin > Settings > Authentication > Google page, where there might be a race-condition, which will be more problematic on some setups or with specific browsers.
https://github.com/metabase/metabase/issues/13137

AccurateHamilton · August 31, 2020, 6:00pm

Hi @flamber,

This seems to be because the “Allow users to sign up on their own” is not getting set correctly. Once I manually added my user I can log in with Google. Reading the race condition bug, it looks like there might be a workaround to manually connect to the DB & update those settings. Is there a utility for connecting to the internal DB? (This is a testing environment & I had planned to set up a real DB & migrate later. But it seems I might have to reprioritize?)

What is the expected behavior when a user tries to login with SSO but the “Allow users to sign up on their own” is not set? I would expect some kind of “Authorization failed” message, but nothing all happens. Is that a bug of its own?

There is nothing terribly informative in the browser console during login, just this warning & error (respectively):

A cookie associated with a cross-site resource at https://accounts.google.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.


POST https://<site:port>/api/session/google_auth 400 (Bad Request)

Thanks again

flamber · August 31, 2020, 6:07pm

@AccurateHamilton Like I said in one of the other topics you created - migrate away from H2:
https://www.metabase.com/docs/latest/operations-guide/migrating-from-h2.html
Otherwise search the interwebs for something that supports H2 - example https://dbeaver.io/

There was an issue fixed, and probably another one soon, in regards to more friendly errors:
https://github.com/metabase/metabase/issues/3245
https://github.com/metabase/metabase/issues/13068