hlavki / g-suite-identity-sync

G Suite to LDAP identity synchronizer
Apache License 2.0
128 stars 29 forks source link

Client is unauthorized to retrieve access tokens using this method #7

Closed cdejardin closed 6 years ago

cdejardin commented 6 years ago

Hello,

I did follow all the steps in the documentation, i launch the containers, i open my browser to the right URL, i clic on sign-in, i'm logged with the right google account, and when i'm redirected, i got this error on the logs:

identity_1 | 2018-05-14T10:01:41,515 | INFO | qtp1837767860-96 | LoggingOutInterceptor | 41 - org.apache.cxf.cxf-core - 3.2.2 | Outbound Message identity_1 | --------------------------- identity_1 | ID: 28 identity_1 | Response-Code: 401 identity_1 | Content-Type: application/json;charset=utf-8 identity_1 | Headers: {Accept-Ranges=[none], Alt-Svc=[hq=":443"; ma=2592000; quic=51303433; quic=51303432; quic=51303431; quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="43,42,41,39,35"], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], content-type=[application/json;charset=utf-8], Date=[Mon, 14 May 2018 10:01:41 GMT], Expires=[Mon, 01 Jan 1990 00:00:00 GMT], Pragma=[no-cache], Server=[ESF], transfer-encoding=[chunked], Vary=[Accept-Encoding], X-Content-Type-Options=[nosniff], X-Frame-Options=[SAMEORIGIN], X-XSS-Protection=[1; mode=block], Content-Type=[application/json; charset=utf-8]} identity_1 | Payload: { identity_1 | "error" : "unauthorized_client", identity_1 | "error_description" : "Client is unauthorized to retrieve access tokens using this method." identity_1 | } identity_1 | --------------------------------------

hlavki commented 6 years ago

Hi,

I think there is some problem with Delegating domain-wide authority to the service account.

According to documentation you have to specify Client ID and scopes in comma delimited format:

https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user
cdejardin commented 6 years ago

Hi,

Thanks a lot for the quick answer, i originally did not understand that we had to put the 2 scopes.

It's working as expected now, i'm connected.

I'll close the issue, sorry for the trouble.

Best regards.