A Google account from @umich.edu is unable to sign in

[rogerdahl]

This issue affects only a single Google account from @umich.edu. We have other Google accounts from @umich.edu successfully signing in.

Exception:

2024-11-20 03:59:34,954 [245485] DEBUG    idp.google: login_google() [...]
2024-11-20 03:59:39,858 [245486] DEBUG    idp.google: login_google_callback() target="https:/ezeml.edirepository.org/eml/auth/login"
2024-11-20 03:59:39,865 [245486] DEBUG    urllib3.connectionpool: Starting new HTTPS connection (1): accounts.google.com:443
2024-11-20 03:59:39,994 [245486] DEBUG    urllib3.connectionpool: https://accounts.google.com:443 "GET /.well-known/openid-configuration HTTP/11" 200 1268
2024-11-20 03:59:39,998 [245486] DEBUG    urllib3.connectionpool: Starting new HTTPS connection (1): oauth2.googleapis.com:443
2024-11-20 03:59:40,189 [245486] DEBUG    urllib3.connectionpool: https://oauth2.googleapis.com:443 "POST /token HTTP/11" 400 None
2024-11-20 03:59:40,191 [245486] ERROR    idp.google: Login unsuccessful: {
  "error": "redirect_uri_mismatch",
  "error_description": "Bad Request"
}
Traceback (most recent call last):
  File "/home/pasta/auth/webapp/idp/google.py", line 107, in login_google_callback
    client.parse_request_body_response(token_response.text)
  File "/home/pasta/miniconda3/envs/auth/lib/python3.11/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 427, in parse_request_body_response
    self.token = parse_token_response(body, scope=scope)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/pasta/miniconda3/envs/auth/lib/python3.11/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 441, in parse_token_response
    validate_token_parameters(params)
  File "/home/pasta/miniconda3/envs/auth/lib/python3.11/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 448, in validate_token_parameters
    raise_from_error(params.get('error'), params)
  File "/home/pasta/miniconda3/envs/auth/lib/python3.11/site-packages/oauthlib/oauth2/rfc6749/errors.py", line 400, in raise_from_error
    raise CustomOAuth2Error(error=error, **kwargs)
oauthlib.oauth2.rfc6749.errors.CustomOAuth2Error: (redirect_uri_mismatch) Bad Request

Notes:

• We are sending the same redirect_uri for the failing sign-in, as for successful ones.
• The issue is persistent for the one account. Logs do not show the error for any other accounts, either from umich.edu, or others.
• Sign in has been tested both from a regular browser window, and from an incognito window, where all credentials were re-entered.
• We do not know which browser or OS was used.

Todo:

• Though it seems unlikely, we have deleted and re-entered the redirect_uris, just in case this is an issue with out-of-sync servers at Google. The next step is for the user to try signing in again, to see if the issue is resolved.
• We will also ask the user to try signing in on auth-d, which runs a much newer version of Authn.
• If all else fails, we may require the user to sign in with another account, and then move their work over to that account.