Retrieving groups from google fails with 404 error after upgrade

byungsoo.kim · November 15, 2022, 4:58pm

What happened?

We have been using v0.11.1 for a while and decided to upgrade to v0.19.1. The pomerium server failed in retrieving directory users and groups because googleapi returned 404. The config we use works unto v0.15.8 and stop working from v0.16.0

What did you expect to happen?

The configuration continues working with google

How’d it happen?

N/A

What’s your environment like?

Pomerium version (retrieve with pomerium --version): from 0.15.8 to 0.16.0
Server Operating System/Architecture/Cloud:
- vm with container optimized image on gcp
- create a container with gcr.io/pomerium-io/pomerium:vx.x.x-cloud on the VM.

What’s your config.yaml?

idp_client_id: xxxx.apps.googleusercontent.com
idp_client_secret: xxxx
cookie_secret: xxxx
idp_service_account: xxxxxxxx

we set the following env vars on container

POLICY = xxxx
AUTHENTICATE_SERVICE_URL = "https://xxx"
IDP_PROVIDER = "google"
IDP_PROVIDER_URL = "https://accounts.google.com"
INSECURE_SERVER = true
ADDRESS = ":9252"

What did you see in the logs?

# Paste your logs here.
# Be sure to scrub any sensitive values
{"level":"warn","service":"identity_manager","error":"google: error getting groups: googleapi: got HTTP response code 404 with body: <html lang=en><meta charset=utf-8><meta name=viewport content=\"initial-scale=1, minimum-scale=1, width=device-width\"><title>Error 404 (Not Found)!!1</title><style nonce=\"6aAaXFCO7wVZ_LA0banUZA\">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}</style><main id=\"af-error-container\" role=\"main\"><a href=//www.google.com><span id=logo aria-label=Google role=img></span></a><p><b>404.</b> <ins>That’s an error.</ins><p>The requested URL was not found on this server. <ins>That’s all we know.</ins></main>","time":"2022-11-15T16:34:25Z","message":"failed to refresh directory users and groups"}

Additional context

N/A

byungsoo.kim · November 21, 2022, 1:36pm

I was able to find the cause and the solution. The issue was IDP_PROVIDER_URL = "https://accounts.google.com" is not accurate and pomerium has a default IDP_PROVIDER_URL for gcp. After removing the configuration, the error message is gone. The relevant update is

github.com/pomerium/pomerium

Google groups synching is broke with V0..16

opened 05:44AM - 29 Dec 21 UTC

closed 05:21PM - 07 Jan 22 UTC

EdgardGomez

NeedsInvestigation WaitingForInfo NeedsProposal

## What happened? Google groups cannot be synched. ## What did you expect t…o happen? properly authenticate with the idp service account and populate group membership ## How'd it happen? after updating pomerium to V0.16, synching of google groups started to fail ## What's your environment like? - Pomerium version (0.16.0): - Server Operating System/Architecture/Cloud: ubuntu 20.04 LTS docker swarm 2.10 ## What's your config.yaml? ``` # Main configuration flags : https://www.pomerium.com/docs/reference/ #address: ":8443" # pomerium_debug: true # optional, default is false #service: "all" # log_level: info # optional, default is debug authenticate_service_url: https://authenticate.domain.com # authorize service url will default to localhost in all-in-one mode, otherwise # it should be set to a "behind-the-ingress" routable url #authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local #databroker_service_url: https://pomerium-databroker-service.default.svc.cluster.local # Certificates can be loaded as files or base64 encoded bytes. #certificate_file: "/pomerium/cert.pem" #certificate_key_file: "/pomerium/privkey.pem" #certificate_authority_file: "/pomerium/cert.pem" autocert: true # alternatively, insecure mode can be used if behind a TLS terminating ingress, # or when using a sidecar proxy #insecure_server: true # base64 encoded cert, eg. `base64 -i cert.pem` / `base64 -i privkey.pem` # certificate: | # "xxxxxx" # certificate_key: | # "xxxx" # Generate 256 bit random keys e.g. `head -c32 /dev/urandom | base64` shared_secret: cookie_secret: # If set, a JWT based signature is appended to each request header `x-pomerium-jwt-assertion` # signing_key: "Replace with base64'd private key from ./scripts/self-signed-sign-key.sh" signing_key: # Use redis databroker backend databroker_storage_type: redis databroker_storage_connection_string: redis://pomerium_redis:6379 # Identity Provider Settings ## GOOGLE idp_provider: "google" idp_provider_url: "https://accounts.google.com" idp_client_id: "" idp_client_secret: "" # IF GSUITE and you want to get user groups you will need to set a service account # see identity provider docs for gooogle for more info : idp_service_account: # Proxied routes and per-route policies are defined in a routes block routes: - from: https://route1.domain.com to: http://pomerium_verify allowed_domains: domain.com pass_identity_headers: true - from: https://route2.domain.com to: http://pomerium_nginx allowed_domains: domain.com pass_identity_headers: true - from: https://route3.domain.com to: http://controllers_1 allowed_domains: domain.com pass_identity_headers: true ``` ## What did you see in the logs? ```logs WRN failed to refresh directory users and groups error="google: error getting groups: googleapi: got HTTP response code 404 with body: <html lang=en><meta charset=utf-8><meta name=viewport content=\"initial-scale=1, minimum-scale=1, width=device-width\"><title>Error 404 (Not Found)!!1</title><style nonce=\"4taL7JLn9nv7zGsUc477lg\">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px;}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}pre{white-space:pre-wrap;}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}</style><main id=\"af-error-container\" role=\"main\"><a href=//www.google.com><span id=logo aria-label=Google role=img></span></a><p><b>404.</b> <ins>That’s an error.</ins><p>The requested URL was not found on this server. <ins>That’s all we know.</ins></main>" service=identity_manager ``` ## Additional context rolling back to V0.15.8 resolves the issue of google groups not synching @alexrudd2