By: shikha Mishra user 23 Feb 2017 at 4:21 a.m. CST

21 Responses
shikha Mishra gravatar
We have configured google authentication on gluu-server. User click on google authentication login button, enters google credentials, Authentication fails when gluu server tries to get access token from google api. We have set proxy to get internet access on server as this server is on organization DMZ, And we are able to run wget and curl commands on google api from server. However GluuServer is not able to connect to google API. Is there any proxy setting specific to gluu Server? Can you please suggest the solution for this issue. wrapper.log , INFO | jvm 1 | 2017/02/23 06:31:30 | 2017-02-23 06:31:30,920 ERROR [org.xdi.oxauth.client.TokenClient] accounts.google.com INFO | jvm 1 | 2017/02/23 06:31:30 | java.net.UnknownHostException: accounts.google.com

By Aliaksandr Samuseu staff 23 Feb 2017 at 4:47 a.m. CST

Aliaksandr Samuseu gravatar
Hi, shikha. May I ask you to provide link to the doc page(s) you used to configure it? Also, if you are trying to employ some custom authentication script, there may be some hints in `/opt/tomcat/logs/oxauth_script.log`. Next time you'll try it please check it and provide any relevant error records which will appear.

By shikha Mishra user 23 Feb 2017 at 7:59 a.m. CST

shikha Mishra gravatar
Hi Aliaksandr , I have referred gluu server document https://gluu.org/docs/2.4.4/authn-guide/google/. below is the relevant log /opt/tomcat/logs/oxauth_script.log ``` 2017-02-21 17:04:36,665 INFO [org.xdi.service.PythonService] (ajp-bio-127.0.0.1-8009-exec-6) Google+ Prepare for step 1 2017-02-21 17:05:24,547 INFO [org.xdi.service.PythonService] (ajp-bio-127.0.0.1-8009-exec-4) Google+ Prepare for step 1 2017-02-21 17:06:08,691 INFO [org.xdi.service.PythonService] (ajp-bio-127.0.0.1-8009-exec-7) Google+ Authenticate for step 1 2017-02-21 17:06:08,691 INFO [org.xdi.service.PythonService] (ajp-bio-127.0.0.1-8009-exec-7) Google+ Authenticate for step 1. gplusAuthCode: 2017-02-21 17:06:08,691 INFO [org.xdi.service.PythonService] (ajp-bio-127.0.0.1-8009-exec-7) 4/KYTamITvOyKEi5liOtIbHjGHTQTIG_RS7YAU8ljRiw8 2017-02-21 17:06:08,691 INFO [org.xdi.service.PythonService] (ajp-bio-127.0.0.1-8009-exec-7) Google+ Authenticate for step 1. Attempting to gets tokens 2017-02-21 17:06:10,406 INFO [org.xdi.service.PythonService] (ajp-bio-127.0.0.1-8009-exec-7) Google+ Authenticate for step 1. Failed to get tokens ```

By Aliaksandr Samuseu staff 23 Feb 2017 at 8:35 a.m. CST

Aliaksandr Samuseu gravatar
We may need to try to reproduce it. I'll get back to you with results.

By shikha Mishra user 02 Mar 2017 at 12:12 a.m. CST

shikha Mishra gravatar
Hi Aliaksandr, Are you able to reproduce this issue? Regards, Shikha

By Aliaksandr Samuseu staff 16 Mar 2017 at 7:41 a.m. CDT

Aliaksandr Samuseu gravatar
Sorry for the delay, Shikha. We updated our doc here: [https://gluu.org/docs/ce/3.0.1/integration/google/](https://gluu.org/docs/ce/3.0.1/integration/google/) You can also check this ticket: [https://support.gluu.org/single-sign-on/3843/google-login-credentials-could-not-be-verified/#at20375](https://support.gluu.org/single-sign-on/3843/google-login-credentials-could-not-be-verified/#at20375)

By shikha Mishra user 16 Mar 2017 at 11:33 p.m. CDT

shikha Mishra gravatar
Hi Aliakasandr, I am working on https://gluu.org/docs/ce/2.4.4/authn-guide/google/ And I have explained issue in my previous post. Can you please help to resolve the issue I mentioned. I find the solution not related with my problem.

By Aliaksandr Samuseu staff 17 Mar 2017 at 3:13 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Shikha. Here is the correct guide for your case: [https://gluu.org/docs/ce/2.4.4/authn-guide/google/](https://gluu.org/docs/ce/2.4.4/authn-guide/google/) Back to your issue now: >We have set proxy to get internet access on server as this server is on organization DMZ, And we are able to run wget and curl commands on google api from server. What kind of proxy is it? Could you provide a command line you use for curl to access it? Are you adding a parameter to it so it will be able to utilize this proxy, like specify proxy's host and port, and possibly authentication credentials? I don't think Gluu is capable of dealing with such setup by default. Google authentication script is a jython script that utilizes oxAuth client Java app to achieve what it does. Unless your proxy is of transparent kind, you'll need to modify script or even client's source to "teach" it how to handle this case.

By Aliaksandr Samuseu staff 17 Mar 2017 at 3:15 p.m. CDT

Aliaksandr Samuseu gravatar
Please check [this article](https://gluu.org/docs/ce/2.4.4/operation/logs/) on how to rise log's verbosity for oxAuth, then retry your flow again. Hopefully this time you'll get more clues of what's going on in logs. Btw, why do you think Gluu can't contact Google's servers due to presence of proxy? How exactly you verified it's the case?

By shikha Mishra user 20 Mar 2017 at 3:08 a.m. CDT

shikha Mishra gravatar
Hi Alianksandr, It is forward proxy. And we have set proxy in the bash profile. curl command: curl -d "client_id=XXXXX.apps.googleusercontent.com&client_secret=XXXXXXXXX&redirect_uri=http://localhost/etc&grant_type=authorization_code&code=4/aCFOEvnbl-O53SoR1TV6e7F9_juaAtQjYPIxe0JvT9M" https://accounts.google.com/o/oauth2/token { "error" : "invalid_grant", "error_description" : "Code was already redeemed." } From wrapper.log, it is clear that gluu is not able to connect to google. wrapper.log , INFO | jvm 1 | 2017/02/23 06:31:30 | 2017-02-23 06:31:30,920 ERROR [org.xdi.oxauth.client.TokenClient] accounts.google.com INFO | jvm 1 | 2017/02/23 06:31:30 | java.net.UnknownHostException: accounts.google.com I will rise the log's verbosity for oxauth and upload the logs

By Aliaksandr Samuseu staff 20 Mar 2017 at 8:25 a.m. CDT

Aliaksandr Samuseu gravatar
>From wrapper.log, it is clear that gluu is not able to connect to google. wrapper.log , Have you tried to connect your Gluu host in such way it will bypass the proxy? Will authentication work this way? May be there is another reason why it's unable to connect?

By shikha Mishra user 21 Mar 2017 at 12:05 a.m. CDT

shikha Mishra gravatar
I have tried google authentication on different VM which has internet access and there is no need to set proxy. On this server google authentication is working fine. We are facing issue on organization server, On which we cannot bypass proxy to access google url. Only way to access google url is by proxy. Regards, Shikha

By shikha Mishra user 22 Mar 2017 at 5:01 a.m. CDT

shikha Mishra gravatar
Hi Aliaksandr, Can you please reopen this ticket. And please suggest how can we set proxy in gluu server google authentication request. Regards, Shikha

By Aliaksandr Samuseu staff 23 Mar 2017 at 12:28 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Shikha. It appears issue similar to this was fixed in Gluu CE 2.4.4 SP3. You should try to update your instance and see whether this will help. SP3 updater package for Ubuntu 14 should be released in a day. I'll provide you steps required to apply it.

By Aliaksandr Samuseu staff 23 Mar 2017 at 4:04 p.m. CDT

Aliaksandr Samuseu gravatar
Updater is released, please follow these steps to update your instance: 1. Backup the current setup. Make sure you have several GB of free space on the volume where your container is located 2. Outside of container: `# apt-get clean; apt-get update` 3. Outside of container: `# apt-get install gluu-updater-2.4.4` 4. `# service gluu-server-2.4.4 login` 5. `# cd /opt/upd/2.4.4.sp3/bin/` 6. Run updater's scripts in next order: - `# ./update_system.sh` - `# ./update_ldap.sh` - `# ./update_opendj.sh` - `# ./update_war.sh` Hope this helps.

By shikha Mishra user 29 Mar 2017 at 4:47 a.m. CDT

shikha Mishra gravatar
Hi Aliaksandr, I will try this and update you. Please keep this ticket on hold state. Thanks, Shikha

By Aliaksandr Samuseu staff 03 Apr 2017 at 7:56 a.m. CDT

Aliaksandr Samuseu gravatar
Hi, Shikha. Was your issue resolved?

By shikha Mishra user 05 Apr 2017 at 4:18 a.m. CDT

shikha Mishra gravatar
Hi Aliaksandr, Issue is not resolved. We upgraded the server to 2.4.4 SP3. Is there any way to add proxy in Google Authentication module. Regards, Shikha

By Aliaksandr Samuseu staff 05 Apr 2017 at 12:15 p.m. CDT

Aliaksandr Samuseu gravatar
> Is there any way to add proxy in Google Authentication module. You should be able to add any functionality python is able to handle to the script.

By Aliaksandr Samuseu staff 05 Apr 2017 at 4:43 p.m. CDT

Aliaksandr Samuseu gravatar
I've asked developer who designed the script about the situation. Apparently, it's not a bug, but a possible enhancement for future releases. There is an old [enhancement proposal](https://github.com/GluuFederation/oxAuth/issues/9) on github, but no estimations on how soon it will be delivered can be given atm, it's not perceived as a critical feature (unless one of our customers will need it) He also shared a quick assessment of the current `gplus` script's code and his suggestions on how you could rewrite it to achieve what you need: +++ Next code snippet will create executor which is aware of web proxy: ``` org.apache.commons.httpclient.HttpClient httpClient = new HttpClient(); httpClient.getHostConfiguration().setProxy(proxyHost,proxyPort); ClientExecutor executor = new ApacheHttpClientExecutor(httpClient); ``` Then, before line like this: ``` tokenResponse = tokenClient.exec() ``` you put ``` tokenClient.setExecutor(executor) ``` That should be it. Then you need to apply the same approach to all other lines sending requests to Google's servers (or any other external hosts) +++ Please note that it's not a solid solution, and is not proven to work (though, all Gluu's sources are open, and you are free to study them in case any further difficulties will be encountered). Unfortunately, we can't provide support on such non-standard issues for free. If you can be interested in buying a support contract, we could discuss possible ways to meet your needs.

By Aliaksandr Samuseu staff 06 Apr 2017 at 2:30 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Shikha. I'm closing the ticket now, as it seems we won't be able to help you more than that at the moment.

By shikha Mishra user 07 Apr 2017 at 2:56 a.m. CDT

shikha Mishra gravatar
Hi Aliaksandr, Thanks for the information and help. Regards, Shikha