Bug 46926 - googleapps/state: Client is unauthorized to retrieve access tokens using this method.
Summary: googleapps/state: Client is unauthorized to retrieve access tokens using this...
Status: RESOLVED WONTFIX
Alias: None
Product: UCS
Classification: Unclassified
Component: Google Apps for Work
Version: UCS 4.4
Hardware: Other Linux
: P5 normal
Target Milestone: ---
Assignee: Mail maintainers
QA Contact: Mail maintainers
URL:
Keywords:
: 49191 51012 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-05-02 18:43 CEST by Johannes Keiser
Modified: 2024-09-13 12:59 CEST (History)
8 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.309
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019042521000756, 2018112221000231, 2018092621001102, 2018090221000121, 2019012321000701, 2018043021000113, 2019032321000332, 2020012221001183, 2020061221000256, 2019022621000838, 2019040621000416, 2019053021000324, 2019060621000663, 2019061921001067
Bug group (optional): Error handling, External feedback
Customer ID:
Max CVSS v3 score:

Attachments
Univention User Template for Google Apps (48.37 KB, image/jpeg)
2021-01-09 01:18 CET, Frank Gore 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Keiser univentionstaff 2018-05-02 18:43:52 CEST 
Version: 4.3-0 errata22 (Neustadt)

Internal server error during "googleapps/state".
Request: googleapps/state

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/base.py", line 253, in execute
    function.__func__(self, request, *args, **kwargs)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 318, in _response
    result = _multi_response(self, request)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 440, in _response
    return list(function(self, iterator, *nones))
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 286, in _fake_func
    yield function(self, *args)
  File "%PY2.7%/univention/management/console/modules/googleapps/__init__.py", line 129, in state
    ol.gh.list_users(projection="basic")
  File "%PY2.7%/univention/googleapps/handler.py", line 143, in list_users
    return self._list_objects("users", customer, domain, **kwargs)
  File "%PY2.7%/univention/googleapps/handler.py", line 451, in _list_objects
    results = getattr(self.service, object_type)().list(**kwargs).execute()
  File "/usr/lib/python2.7/dist-packages/oauth2client/util.py", line 137, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/googleapiclient/http.py", line 833, in execute
    method=str(self.method), body=self.body, headers=self.headers)
  File "/usr/lib/python2.7/dist-packages/googleapiclient/http.py", line 160, in _retry_request
    resp, content = http.request(uri, method, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/oauth2client/transport.py", line 153, in new_request
    credentials._refresh(orig_request_method)
  File "/usr/lib/python2.7/dist-packages/oauth2client/client.py", line 777, in _refresh
    self._do_refresh_request(http_request)
  File "/usr/lib/python2.7/dist-packages/oauth2client/client.py", line 834, in _do_refresh_request
    raise HttpAccessTokenRefreshError(error_msg, status=resp.status)
HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method.

Role: domaincontroller_master
Comment 1 Johannes Keiser univentionstaff 2019-01-31 13:40:41 CET 
Version: 4.3-2 errata344 (Neustadt)

Interner Server-Fehler in "googleapps/state".
Request: googleapps/state

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/base.py", line 253, in execute
    function.__func__(self, request, *args, **kwargs)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 318, in _response
    result = _multi_response(self, request)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 192, in _response
    return function(self, request)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 440, in _response
    return list(function(self, iterator, *nones))
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 286, in _fake_func
    yield function(self, *args)
  File "%PY2.7%/univention/management/console/modules/googleapps/__init__.py", line 129, in state
    ol.gh.list_users(projection="basic")
  File "%PY2.7%/univention/googleapps/handler.py", line 143, in list_users
    return self._list_objects("users", customer, domain, **kwargs)
  File "%PY2.7%/univention/googleapps/handler.py", line 451, in _list_objects
    results = getattr(self.service, object_type)().list(**kwargs).execute()
  File "/usr/lib/python2.7/dist-packages/oauth2client/util.py", line 137, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/googleapiclient/http.py", line 833, in execute
    method=str(self.method), body=self.body, headers=self.headers)
  File "/usr/lib/python2.7/dist-packages/googleapiclient/http.py", line 160, in _retry_request
    resp, content = http.request(uri, method, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/oauth2client/transport.py", line 153, in new_request
    credentials._refresh(orig_request_method)
  File "/usr/lib/python2.7/dist-packages/oauth2client/client.py", line 777, in _refresh
    self._do_refresh_request(http_request)
  File "/usr/lib/python2.7/dist-packages/oauth2client/client.py", line 834, in _do_refresh_request
    raise HttpAccessTokenRefreshError(error_msg, status=resp.status)
HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

Role: domaincontroller_master
Comment 2 Johannes Keiser univentionstaff 2019-01-31 17:53:11 CET 
Reported again:
Version: 4.3-2 errata331 (Neustadt)
Version: 4.3-2 errata255 (Neustadt)
Version: 4.3-1 errata229 (Neustadt)
Tracebacks: Same as Comment #0
Comment 3 Erik Damrose univentionstaff 2019-03-28 17:17:53 CET 
*** Bug 49191 has been marked as a duplicate of this bug. ***
Comment 4 Daniel Tröder univentionstaff 2019-03-29 08:11:55 CET 
The user has completed the configuration wizard at this point and has downloaded the certificate.
Most likely user didn't copy and paste the scope configuration into the google admin console.
We should try to reproduce the error by omitting the scope configuration step.
Comment 5 Johannes Keiser univentionstaff 2019-05-16 17:00:10 CEST 
Reported again: Version: 4.4-0 errata59 (Blumenthal)
Traceback: Same as Comment #1
Comment 6 Erik Damrose univentionstaff 2020-03-25 15:59:18 CET 
*** Bug 51012 has been marked as a duplicate of this bug. ***
Comment 7 Christian Castens univentionstaff 2020-06-26 13:54:22 CEST 
reported again:
Version: 4.4-4 errata624 (Blumenthal)
Role: domaincontroller_master
Internal server error during "googleapps/state".
Request: googleapps/state
Comment 8 Ingo Steuwer univentionstaff 2020-06-26 14:15:56 CEST 
We know from customers that the setup of the GSuite App works. But we also learned that we need to rework the instructions, see #51581 - this one might be fixed while updating the wizard.
Comment 9 Christian Castens univentionstaff 2020-08-12 08:34:39 CEST 
reported again
Versions reported: oldest: 4.3-3 errata430, latest 4.4-3 errata427

Ticket#2019022621000838
Ticket#2019040621000416
Ticket#2019053021000324
Ticket#2019060621000663
Ticket#2019061921001067
Ticket#2019062521000725
Ticket#2019082021000221
Ticket#2019082121000103
Ticket#2019082321000047
Ticket#2019091021001069
Ticket#2019101721000831
Ticket#2020012221001076
Comment 10 Frank Gore 2021-01-09 00:56:46 CET 
The workflow may be slightly different that what's in the wizard, but not different enough to lead me astray. I was able to figure it all out. I have the json key, the roles are assigned, the oAuth directives are in place using the appropriate Client ID, and I have Domain-wide Delegation enabled. Everything is in place exactly like the wizard says it should be. Yet this continues to fail repeatedly at the very end.
Comment 11 Frank Gore 2021-01-09 01:18:46 CET 
Created attachment 10588 [details]
Univention User Template for Google Apps

So could this be the problem? Is the app trying to authenticate using the AD domain rather than the registered domain name that the wizard asks for? That would explain why it works fine for some people and not for others
Comment 12 Maximilian Janßen univentionstaff 2021-11-26 10:45:55 CET 
reported again: 2021050121000115


Version: 4.4-8 errata966 (Blumenthal)

Remark: Leider ließ sich die API nicht installieren bitte um Hilfe

Error: 
Interner Server-Fehler in "googleapps/state".
Request: googleapps/state

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/base.py", line 359, in __error_handling
    six.reraise(etype, exc, etraceback)
  File "%PY2.7%/univention/management/console/base.py", line 262, in execute
    function.__func__(self, request, *args, **kwargs)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 321, in _response
    result = _multi_response(self, request)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 181, in _response
    return function(self, request)
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 443, in _response
    return list(function(self, iterator, *nones))
  File "%PY2.7%/univention/management/console/modules/decorators.py", line 289, in _fake_func
    yield function(self, *args)
  File "%PY2.7%/univention/management/console/modules/googleapps/__init__.py", line 129, in state
    ol.gh.list_users(projection="basic")
  File "%PY2.7%/univention/googleapps/handler.py", line 143, in list_users
    return self._list_objects("users", customer, domain, **kwargs)
  File "%PY2.7%/univention/googleapps/handler.py", line 451, in _list_objects
    results = getattr(self.service, object_type)().list(**kwargs).execute()
  File "%PY2.7%/oauth2client/util.py", line 137, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "%PY2.7%/googleapiclient/http.py", line 833, in execute
    method=str(self.method), body=self.body, headers=self.headers)
  File "%PY2.7%/googleapiclient/http.py", line 160, in _retry_request
    resp, content = http.request(uri, method, *args, **kwargs)
  File "%PY2.7%/oauth2client/transport.py", line 153, in new_request
    credentials._refresh(orig_request_method)
  File "%PY2.7%/oauth2client/client.py", line 777, in _refresh
    self._do_refresh_request(http_request)
  File "%PY2.7%/oauth2client/client.py", line 834, in _do_refresh_request
    raise HttpAccessTokenRefreshError(error_msg, status=resp.status)
HttpAccessTokenRefreshError: unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.

Role: domaincontroller_master
Comment 13 Maximilian Janßen univentionstaff 2021-11-26 15:26:22 CET 
reported again: 2021030421000775
Version: 4.4-7 errata906 (Blumenthal)
same traceback as in Comment #12
Comment 14 Maximilian Janßen univentionstaff 2021-12-01 10:45:06 CET 
reported again: 2021112821000027
Version: 4.4-8 errata1111 (Blumenthal)
same traceback as in Comment #12
Comment 15 Mika Westphal univentionstaff 2022-10-27 18:08:55 CEST 
Reported again: 2022101221000431
Version: 4.4-8 errata1009 (Blumenthal)

Remark: Your screenshots and explanations does not corrolate to anything currently at google this app is unusable
Role: domaincontroller_master
Comment 16 Jan-Luca Kiok univentionstaff 2024-09-13 12:59:20 CEST 
This issue has been filed against an older version of UCS.

With further development of our products affected components may have vastly changed while the corresponding use cases might have changed. Thus, this issue is now being closed.

If there still is a need for this feature, please use "Clone this bug" or reopen this issue. In this case please provide information on how this issue would benefit you.