Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

OpenID Google Setup

I've tried to setup the Google OpenID setup. I've done the steps as I understand them but I still get an "Invalid Username or password" error when logging in via Google.

1. I added an Elastic IP to the Matillion EC2 instance so will always have the same DNS name of ec2-99-99-99-99.us-west-2.compute.amazonaws.com

2. I setup the Client ID and Secret in Google and used an Authorized Redirect URI of https://ec2-99-99-99-99.us-west-2.compute.amazonaws.com/j_security_check

3. I then setup Matillion OpenID to use Google and have the Client ID and Secret

4. I restarted the EC2 instance.

5. I can then hit the server at https://ec2-99-99-99-99.us-west-2.compute.amazonaws.com/

* This brings up SSL certification issues (no cert) - I can add the exception.
* I logged in as my old user and added a user with my email as a user and blahblahblah as the password and logout - I should now be able to login via Google.

* I click the button to Signin with Google.
* This goes through my authentication for my Google user (email and password).
* This redirects back to the application with a red "Invalid username or password"

I'm not sure if this is due to the fact that I have two google profiles - I'm choosing / logging in with the one that matches the User in User Configuration. But again - can't get in.

I'm not seeing anything in catalina.out that would help me understand what is going on.

10 Community Answers

Matillion Agent  

David Lipowitz —

Hi Brian,

I understand you’ve been in touch with my colleagues on this topic. Were you able to get the issue resolved or did you still need more support on this?

Best Regards,
Dave


Brian Repko —

Hi Dave,

This is still an open issue that we are working on with Craig R. Not sure what the issue might be but am wondering if it has to do with our AWS instance not being accessible from the internet.

-brian


Matillion Agent  

Laura Malins —

Hi Brian

Apologies I know Craig has been out of the office a fair bit this week.

Does your instance have access to the OpenID provider, say via VPN? If not, I think we’ve found the issue.

Thanks
Laura


Brian Repko —

Hi Laura,

Yep - Craig asked me to do the following

nc -vz www.googleapis.com 443

on the Matillion server and that does work.

Basically the machine has full access out but can only be accessed by our network (it's like a backend database).

I wanted to verify our G Suite OAuth setup and did the following:

Google OAuth 2.0 Playground
https://developers.google.com/oauthplayground/

Step 1a. Enter "openid email" as the scope - click [Authorize APIs]
Step 1b. Sign in
Step 2. click [Exchange authorization code for tokens]
Step 3. enter a request URI of https://www.googleapis.com/oauth2/v2/userinfo
(or choose Google OAuth2 API v2 / Get Userinfo from [List possible operations])
click [Send the Request]

You should get the following JSON

{
"picture": "https://lh5.googleusercontent.com/-GXhEujuJbtE/AAAAAAAAAAI/AAAAAAAAABw/wgZgEc6Ljio/photo.jpg",
"verified_email": true,
"id": "112752174285476855943",
"hd": "carrothealth.com",
"email": "brian@carrothealth.com"
}

and then Matillion can verify the user email as the login.

My guess is that the initial redirect is fine. But then the server tries to exchange the code for a token and that is when it fails. I'm not sure if that is because we have G Suite endpoints or not.

Hitting the discovery API with our client_id returns the following JSON configuration

{
"issuer": "https://accounts.google.com",
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"token_endpoint": "https://oauth2.googleapis.com/token",
"userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
"revocation_endpoint": "https://oauth2.googleapis.com/revoke",
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"family_name",
"given_name",
"iat",
"iss",
"locale",
"name",
"picture",
"sub"
],
"code_challenge_methods_supported": [
"plain",
"S256"
]
}

Is there a way to turn on debug logging on the server so that I can see where the server access is happening or might be failing? Is that a Spring Security logger?


Matillion Agent  

Craig Rouse —

Brian,
Would you be available today at 10am MST for a quick call?
Please respond to my matillion.com email address and I’ll get it set up.
Thanks,
Craig


Brian Repko —

Not sure why this got closed - was this fixed in an update? should I try this again?


Matillion Agent  

Dan D'Orazio —

Hi Brian -

Apologies for that. Would you be available for a quick 30 minute call today between 2:00 PM – 5:00 PM MST? If that window doesn’t work, please feel free to suggest some additional times and we’ll do our best to accommodate you.

One thing to try in the meantime. Can you try to login from an Incogito Window in Chrome? It’s a long shot, but it’s possible that an existing cookie is gumming up the works.

Best -
Dan


Matillion Agent  

Craig Rouse —

Brian,
Just got off a call with a customer on OpenID not working. Similar to your issue in that everything appears set up correctly, but just doesn’t work.
The culprit was that they installed Dynatrace on their Matillion server and it was interrupting the authentication communication between the open id provider and Matillion.
Is there by chance any agents installed on your Matillion instance that could be interfering with the OpenID traffic?
-Craig


Brian Repko —

We installed AlertLogic but I think that that was after.

I've done a yum install of

* environment-modules
* lftp
* git
* clamav
* jq
* gpg

as modules, I've installed

* s3cmd v2.0.2
* snowsql
* carrothealth-script-library-1.0.0

and then AlertLogic


Matillion Agent  

Craig Rouse —

Hi Brian,

I’m not familiar with that product, but is it possible to temporarily disable it, or check if it’s interfering with authentication communication in some way?

Thanks,
Craig

Post Your Community Answer

To add an answer please login