Retrieving groups from google fails with 404 error after upgrade

What happened?

We have been using v0.11.1 for a while and decided to upgrade to v0.19.1. The pomerium server failed in retrieving directory users and groups because googleapi returned 404. The config we use works unto v0.15.8 and stop working from v0.16.0

What did you expect to happen?

The configuration continues working with google

How’d it happen?

N/A

What’s your environment like?

  • Pomerium version (retrieve with pomerium --version): from 0.15.8 to 0.16.0
  • Server Operating System/Architecture/Cloud:
    • vm with container optimized image on gcp
    • create a container with gcr.io/pomerium-io/pomerium:vx.x.x-cloud on the VM.

What’s your config.yaml?

idp_client_id: xxxx.apps.googleusercontent.com
idp_client_secret: xxxx
cookie_secret: xxxx
idp_service_account: xxxxxxxx

we set the following env vars on container

POLICY = xxxx
AUTHENTICATE_SERVICE_URL = "https://xxx"
IDP_PROVIDER = "google"
IDP_PROVIDER_URL = "https://accounts.google.com"
INSECURE_SERVER = true
ADDRESS = ":9252"

What did you see in the logs?

# Paste your logs here.
# Be sure to scrub any sensitive values
{"level":"warn","service":"identity_manager","error":"google: error getting groups: googleapi: got HTTP response code 404 with body: <html lang=en><meta charset=utf-8><meta name=viewport content=\"initial-scale=1, minimum-scale=1, width=device-width\"><title>Error 404 (Not Found)!!1</title><style nonce=\"6aAaXFCO7wVZ_LA0banUZA\">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}</style><main id=\"af-error-container\" role=\"main\"><a href=//www.google.com><span id=logo aria-label=Google role=img></span></a><p><b>404.</b> <ins>That’s an error.</ins><p>The requested URL was not found on this server. <ins>That’s all we know.</ins></main>","time":"2022-11-15T16:34:25Z","message":"failed to refresh directory users and groups"}

Additional context

N/A

I was able to find the cause and the solution. The issue was IDP_PROVIDER_URL = "https://accounts.google.com" is not accurate and pomerium has a default IDP_PROVIDER_URL for gcp. After removing the configuration, the error message is gone. The relevant update is

2 Likes