👋 Hey team! I have a problem with OIDC google authentication. I’m getting a

502 Bad Gateway

😢 when I try to authenticate with my google account. It’s happening for all users!! Front-end log

datahub-datahub-frontend-56784d769d-zjndd datahub-frontend 07:11:19 [application-akka.actor.default-dispatcher-59] ERROR auth.sso.oidc.OidcCallbackLogic - Unable to renew the session. The session store may not support this feature
datahub-datahub-frontend-56784d769d-zjndd datahub-frontend 07:11:31 [application-akka.actor.default-dispatcher-23] ERROR application -

datahub-datahub-frontend-56784d769d-zjndd datahub-frontend ! XXXXXX - Internal server error, for (GET) [/callback/oidc?state=7XXXXXXXXXX&code=4XXXXXXXXX&scope=email%20profile%20openid%20<https://www.googleapis.com/auth/userinfo.profile%20https://www.googleapis.com/auth/userinfo.email&authuser=0&hd=company.com&prompt=none>] ->
datahub-datahub-frontend-56784d769d-zjndd datahub-frontend
datahub-datahub-frontend-56784d769d-zjndd datahub-frontend play.api.UnexpectedException: Unexpected exception[CompletionException: org.pac4j.core.exception.TechnicalException: Bad token response, error=invalid_grant]
datahub-datahub-frontend-56784d769d-zjndd datahub-frontend 	at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:247)

GMS log:

datahub-datahub-gms-6d9db764dd-vql2q datahub-gms 07:11:43.009 [qtp544724190-10] INFO  c.l.m.r.entity.EntityResource:137 - GET urn:li:corpuser:miguel.sotomayor
datahub-datahub-gms-6d9db764dd-vql2q datahub-gms 07:11:43.022 [pool-10-thread-1] INFO  c.l.m.filter.RestliLoggingFilter:55 - GET /entities/urn%3Ali%3Acorpuser%3Amiguel.sotomayor - get - 200 - 13ms
datahub-datahub-gms-6d9db764dd-vql2q datahub-gms 07:11:43.036 [qtp544724190-13] INFO  c.l.m.r.entity.AspectResource:125 - INGEST PROPOSAL proposal: {aspectName=corpUserStatus, entityUrn=urn:li:corpuser:miguel.sotomayor, entityType=corpuser, changeType=UPSERT, aspect={contentType=application/json, value=ByteString(length=100,bytes=7b227374...33337d7d)}}
datahub-datahub-gms-6d9db764dd-vql2q datahub-gms 07:11:43.085 [pool-10-thread-1] INFO  c.l.m.filter.RestliLoggingFilter:55 - POST /aspects?action=ingestProposal - ingestProposal - 200 - 49ms
datahub-datahub-gms-6d9db764dd-vql2q datahub-gms 07:11:43.222 [I/O dispatcher 1] INFO  c.l.m.s.e.update.BulkListener:28 - Successfully fed bulk request. Number of events: 2 Took time ms: -1

Configuration:

extraEnvs:
    - name: AUTH_OIDC_ENABLED
      value: "true"
    - name: AUTH_OIDC_CLIENT_ID
      valueFrom:
        secretKeyRef:
          name: auth-datahub-credentials
          key: OIDC_CLIENT_ID
    - name: AUTH_OIDC_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          name: auth-datahub-credentials
          key: OIDC_CLIENT_SECRET
    - name: AUTH_OIDC_DISCOVERY_URI
      value: "<https://accounts.google.com/.well-known/openid-configuration>"
    - name: AUTH_OIDC_SCOPE
      value: "openid profile email"
    - name: AUTH_OIDC_USER_NAME_CLAIM
      value: "email"
    - name: AUTH_OIDC_USER_NAME_CLAIM_REGEX
      value: "([^@]+)"
    - name: AUTH_OIDC_BASE_URL
      value: "<https://mnycompany.com>"

Hello Miguel, Is this or first time configuring OIDC or did you have OIDC working in the past and it stopped working recently?

Hi @incalculable-ocean-74010. It’s not the first time. I had OIDC working before 😞

Did you modify something recently? What happened to have OIDC stop working?

Did you modify something recently?

No AFAIK

What happened to have OIDC stop working?

I don’t know, that’s the problem

Was datahub upgraded? Who manages your oidc system? Is the client oidc id still valid? Maybe the secret got rotated? Most of these questions are about your infrastructure not about DataHub. There isn't much I can do to help…

Was datahub upgraded?

No I’ve changed

AUTH_OIDC_CLIENT_SECRET

but it’s still failing

Do you manage the OIDC application in your infrastructure or is it some IT team?

Fix it!!! 🎉 I added

PAC4J_SESSIONSTORE_PROVIDER

property according to this documentation and it’s working now!! Thanks @incalculable-ocean-74010!