https://rancher.com/ logo
Title
q

quiet-area-89381

10/05/2022, 10:20 PM
Following the documentation to setup SSO using Google on rancher, we get this error when clicking "enable"
[Google OAuth] testAndApply: server error while authenticating: Get "<https://admin.googleapis.com/admin/directory/v1/groups?alt=json&domain=microbyre.com&prettyPrint=false&userKey=104963972947843610189>": oauth2: cannot fetch token: 401 Unauthorized
Response: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}
We verified the SA has the permissions and the delegation on the workspace side too.
We found the issue. On the Auth Provider configuration screen for Google, the admin email needs to be an actual user within the organization. I had used our shared admin email which is a group, and not a user.
Maybe the instructions on the Rancher UI should explicitly say it has to be a user and can't be just and email address. Finding the solution was almost just luck ­čśŤ
It wasn't obvious this was used to make a call to the admin.google.com apis at first.