Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

OpenID Google Setup

I've tried to setup the Google OpenID setup. I've done the steps as I understand them but I still get an "Invalid Username or password" error when logging in via Google.

1. I added an Elastic IP to the Matillion EC2 instance so will always have the same DNS name of

2. I setup the Client ID and Secret in Google and used an Authorized Redirect URI of

3. I then setup Matillion OpenID to use Google and have the Client ID and Secret

4. I restarted the EC2 instance.

5. I can then hit the server at

* This brings up SSL certification issues (no cert) - I can add the exception.
* I logged in as my old user and added a user with my email as a user and blahblahblah as the password and logout - I should now be able to login via Google.

* I click the button to Signin with Google.
* This goes through my authentication for my Google user (email and password).
* This redirects back to the application with a red "Invalid username or password"

I'm not sure if this is due to the fact that I have two google profiles - I'm choosing / logging in with the one that matches the User in User Configuration. But again - can't get in.

I'm not seeing anything in catalina.out that would help me understand what is going on.

14 Community Answers

Matillion Agent  

David Lipowitz —

Hi Brian,

I understand you’ve been in touch with my colleagues on this topic. Were you able to get the issue resolved or did you still need more support on this?

Best Regards,

Brian Repko —

Hi Dave,

This is still an open issue that we are working on with Craig R. Not sure what the issue might be but am wondering if it has to do with our AWS instance not being accessible from the internet.


Matillion Agent  

Laura Malins —

Hi Brian

Apologies I know Craig has been out of the office a fair bit this week.

Does your instance have access to the OpenID provider, say via VPN? If not, I think we’ve found the issue.


Brian Repko —

Hi Laura,

Yep - Craig asked me to do the following

nc -vz 443

on the Matillion server and that does work.

Basically the machine has full access out but can only be accessed by our network (it's like a backend database).

I wanted to verify our G Suite OAuth setup and did the following:

Google OAuth 2.0 Playground

Step 1a. Enter "openid email" as the scope - click [Authorize APIs]
Step 1b. Sign in
Step 2. click [Exchange authorization code for tokens]
Step 3. enter a request URI of
(or choose Google OAuth2 API v2 / Get Userinfo from [List possible operations])
click [Send the Request]

You should get the following JSON

"picture": "",
"verified_email": true,
"id": "112752174285476855943",
"hd": "",
"email": ""

and then Matillion can verify the user email as the login.

My guess is that the initial redirect is fine. But then the server tries to exchange the code for a token and that is when it fails. I'm not sure if that is because we have G Suite endpoints or not.

Hitting the discovery API with our client_id returns the following JSON configuration

"issuer": "",
"authorization_endpoint": "",
"token_endpoint": "",
"userinfo_endpoint": "",
"revocation_endpoint": "",
"jwks_uri": "",
"response_types_supported": [
"code token",
"code id_token",
"token id_token",
"code token id_token",
"subject_types_supported": [
"id_token_signing_alg_values_supported": [
"scopes_supported": [
"token_endpoint_auth_methods_supported": [
"claims_supported": [
"code_challenge_methods_supported": [

Is there a way to turn on debug logging on the server so that I can see where the server access is happening or might be failing? Is that a Spring Security logger?

Matillion Agent  

Craig Rouse —

Would you be available today at 10am MST for a quick call?
Please respond to my email address and I’ll get it set up.

Brian Repko —

Not sure why this got closed - was this fixed in an update? should I try this again?

Matillion Agent  

Dan D'Orazio —

Hi Brian -

Apologies for that. Would you be available for a quick 30 minute call today between 2:00 PM – 5:00 PM MST? If that window doesn’t work, please feel free to suggest some additional times and we’ll do our best to accommodate you.

One thing to try in the meantime. Can you try to login from an Incogito Window in Chrome? It’s a long shot, but it’s possible that an existing cookie is gumming up the works.

Best -

Matillion Agent  

Craig Rouse —

Just got off a call with a customer on OpenID not working. Similar to your issue in that everything appears set up correctly, but just doesn’t work.
The culprit was that they installed Dynatrace on their Matillion server and it was interrupting the authentication communication between the open id provider and Matillion.
Is there by chance any agents installed on your Matillion instance that could be interfering with the OpenID traffic?

Brian Repko —

We installed AlertLogic but I think that that was after.

I've done a yum install of

* environment-modules
* lftp
* git
* clamav
* jq
* gpg

as modules, I've installed

* s3cmd v2.0.2
* snowsql
* carrothealth-script-library-1.0.0

and then AlertLogic

Matillion Agent  

Craig Rouse —

Hi Brian,

I’m not familiar with that product, but is it possible to temporarily disable it, or check if it’s interfering with authentication communication in some way?


Brian Repko —

I'm not sure that Google OpenID Connect is working.

Matillion Agent  

Craig Rouse —

Hi Brian,
Not sure I understand…
Have you tried Google’s OpenID also (instead of Okta) and it too is not working for you?

Brian Repko —

This issue does not have a resolution for us. Y'all keep closing it and I keep opening it.
I just tried rebooting after the last install and it's still failing. I need to now look at uninstalling the Alert Logic agent to see if that is part of the problem.

But the behavior for us is still the same - no one can login with the Google Open ID Connect feature. We all get "Invalid Username or Password" (which is not the case - it wasn't able to make the followup request for some reason).

Matillion Agent  

David Lipowitz —

Hi Brian,

Apologies but by default we close tickets after 7 days without a response. You can reopen it at any time by responding to it again, so the ticket’s status is more semantic than anything else.

If uninstalling Alert Logic is problematic, one option might be to create a new Matillion instance without Alert Logic and then configuring Google Open ID just as a test. If that’s not possible or preferable, then please let us know the results once you get Alert Logic removed from the original instance.

Best Regards,

Post Your Community Answer

To add an answer please login