Hello, I was trying to troubleshoot a problem on docker-compose with Google OIDC. The logs from the front-end container is showing the following error:

Caused by: com.nimbusds.oauth2.sdk.ParseException: The scope must include an "openid" value
	at com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1378)
	at com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(AuthenticationRequest.java:1312)
	at org.pac4j.oidc.redirect.OidcRedirectActionBuilder.buildAuthenticationRequestUrl(OidcRedirectActionBuilder.java:110)

It seems it's not parsing properly the

AUTH_OIDC_SCOPE

env var. I opened an interactive shell inside the container and it seems the variables are being set accordingly. Here's the output from the front-end container:

ubuntu@host-name:~$ docker exec -it <CONTAINER_ID_FRONT-END> /bin/sh

/ $ env

ELASTIC_CLIENT_HOST=elasticsearch
HOSTNAME=datahub-frontend-react
SHLVL=1
HOME=/home/datahub
AUTH_OIDC_DISCOVERY_URI=<https://accounts.google.com/.well-known/openid-configuration>
ELASTIC_CLIENT_PORT=9200
AUTH_OIDC_CLIENT_ID=<correct_OIDC_CLIENT>
AUTH_OIDC_CLIENT_SECRET=<correct_OIDC_SECRET>
AUTH_OIDC_ENABLED=true
AUTH_OIDC_USER_NAME_CLAIM=email
AUTH_OIDC_SCOPE="openid profile email"
TERM=xterm

Does anyone had a similar problem? How are you guys setting those variables?

Hey @steep-finland-24780 your config looks okay to me. Did you follow all the steps here to confirm that your integration is set up properly? https://datahubproject.io/docs/authentication/guides/sso/configure-oidc-react-google/

Hi @echoing-airport-49548 I did a similar configuration to get Google SSO on Metabase so I don't think the problem is the Oauth client credentials. I set up the

.env

file how the guide shows:

AUTH_OIDC_ENABLED=true
AUTH_OIDC_CLIENT_ID=<ID>
AUTH_OIDC_CLIENT_SECRET=<SECRET>
AUTH_OIDC_DISCOVERY_URI=<https://accounts.google.com/.well-known/openid-configuration>
AUTH_OIDC_BASE_URL=<https://my-datahub-url>
AUTH_OIDC_SCOPE="openid profile email"
AUTH_OIDC_USER_NAME_CLAIM=email
AUTH_OIDC_USER_NAME_CLAIM_REGEX=([^@]+)

I think is something about not properly parsing the env variables. tried removing the quotes and replace them to single quotes but no luck there. If a set the

AUTH_OIDC_ENABLED=false

everything works and I can log in the datahub portal using my username+password. So I believe is something on the front-end container.

the only difference I can see between your config and a config I’ve set up for Google SSO is that I set scope to be

AUTH_OIDC_SCOPE = "openid email profile"

instead of

"openid profile email"

Wow it worked thank you @echoing-airport-49548.

Amazing, so glad to hear it!