Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
q
quiet-area-89381
10/05/2022, 10:20 PMFollowing the documentation to setup SSO using Google on rancher, we get this error when clicking "enable"
[Google OAuth] testAndApply: server error while authenticating: Get "<https://admin.googleapis.com/admin/directory/v1/groups?alt=json&domain=microbyre.com&prettyPrint=false&userKey=104963972947843610189>": oauth2: cannot fetch token: 401 Unauthorized
Response: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}We found the issue. On the Auth Provider configuration screen for Google, the admin email needs to be an actual user within the organization. I had used our shared admin email which is a group, and not a user.
Maybe the instructions on the Rancher UI should explicitly say it has to be a user and can't be just and email address. Finding the solution was almost just luck 😛
It wasn't obvious this was used to make a call to the admin.google.com apis at first.