Got Authorization Error when trying to integrate Google Analytics to Metabase

rexwangcc · March 5, 2022, 3:24am

Hi! Thank you so much for your time in advance.

I ran into this error when trying to integrate our Google Analytics to our self-hosted Metabase instance, and I have made sure the following is TRUE:

The metabase metabase/metabase:v0.42.2 is deployed via container to our on-prem Kubernetes cluster, it can be accessed through our edge router / reverse proxy Traefik, at http://xxxxx.yyyyy.com
I have enabled Google Analytics API on GCP, and made sure to create a Client ID for Desktop under the same Google Cloud Project.
I got the Client ID and Client secret from this credentials, and use them in the Metabase page.
I grabbed the Google Analytics Account ID from the Google Analytics page.

When I click the "Click here to get an auth code." it pops up a page with Authorization Error on it, the details show:

If you’re the app developer, make sure that these request details comply with Google policies.
redirect_uri: urn:ietf:wg:oauth:2.0:oob

When I tried to "hack" the link behind the "Click here to get an auth code.", specifically, change the redirect_uri from urn:ietf:wg:oauth:2.0:oob to http://localhost, the popped up page lets me do the OAuth and grant access to the OAuth client, and gives me an access code 4/0AXXXXXX in the address bar, but it cannot be used in Metabase as it returns:

400 Bad Request POST https://oauth2.googleapis.com/token { "error" : "invalid_grant", "error_description" : "Bad Request" }

Am I missing anything here? Thanks!

{
  "browser-info": {
    "language": "en-US",
    "platform": "MacIntel",
    "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36",
    "vendor": "Google Inc."
  },
  "system-info": {
    "file.encoding": "UTF-8",
    "java.runtime.name": "OpenJDK Runtime Environment",
    "java.runtime.version": "11.0.14.1+1",
    "java.vendor": "Eclipse Adoptium",
    "java.vendor.url": "https://adoptium.net/",
    "java.version": "11.0.14.1",
    "java.vm.name": "OpenJDK 64-Bit Server VM",
    "java.vm.version": "11.0.14.1+1",
    "os.name": "Linux",
    "os.version": "5.13.0-27-generic",
    "user.language": "en",
    "user.timezone": "GMT"
  },
  "metabase-info": {
    "databases": [
      "h2"
    ],
    "hosting-env": "unknown",
    "application-database": "postgres",
    "application-database-details": {
      "database": {
        "name": "PostgreSQL",
        "version": "14.1 (Debian 14.1-1.pgdg110+1)"
      },
      "jdbc-driver": {
        "name": "PostgreSQL JDBC Driver",
        "version": "42.2.23"
      }
    },
    "run-mode": "prod",
    "version": {
      "date": "2022-02-28",
      "tag": "v0.42.2",
      "branch": "release-x.42.x",
      "hash": "d6ff494"
    },
    "settings": {
      "report-timezone": null
    }
  }
}

flamber · March 5, 2022, 8:31am

Hi @rexwangcc
Google Analytics, as well as many other services, requires the use of https, so enable encryption on your Traefik with Letsencrypt or similar, and remember to update the Site URL in Admin > Settings > General.

rexwangcc · March 5, 2022, 2:58pm

Ah, that makes a lot of sense, thanks!! Will take a look asap!!

rexwangcc · March 7, 2022, 3:16pm

Unfortunately, TLS didn't help. I have switched to HTTPS by spinning up a Metabase container with GKE, the HTTPS is provisioned by Google Managed Certs, and I also updated the Site URL in Admin > Settings > General, trying the auth code now and it gave the same error:

Any ideas? It still looks like something weird has happened during the OAuth flow... But looking through the code base, the only place that used (def ^:private ^:const ^String redirect-uri "urn:ietf:wg:oauth:2.0:oob") was in the same namespace metabase.driver.google, by defn- fetch-access-and-refresh-tokens* which looks just right to me...

flamber · March 7, 2022, 4:10pm

@rexwangcc It wouldn't be the first time that Google makes changes without warning, or even does A/B testing, so you might see an error, but if I try to reproduce, then it works for me.

Try connecting Google Analytics via BigQuery.

rexwangcc · March 7, 2022, 4:22pm

So it seems there's an interesting announcement here: https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html#dates-oob

Reading through it seems like Google is making some significant changes to OOB flow which affects how Metabase authenticates with GA now Not sure if there's a way to use Serv ice Accounts to Metabase for accessing Google services?

flamber · March 7, 2022, 4:37pm

@rexwangcc I have many words, interesting is not one of them right now.

Thank you very much: https://github.com/metabase/metabase/issues/20876 - upvote by clicking