Hi all,
I had oauth2 up and running with drive on my site for over 2 weeks until this morning.
Now oauth2 is sending users out to google, they login, and then when returned to moodle the error appears.
I tried updating to latest version, updated php, and fixed cron, and tried creating a new key. Nothing.
I don't think it would be the endpoints because it is using the default google ones.
Manual logins work fine.
No permissions were changed before the error.
Moodle is being hosted on Site5
This happened once before and I had to completely wipe it and reinstall.
I read elsewhere that this might be an Apache error. If so would this be an issue for my hosting provider?
If I have to reinstall, will I be able to keep my existing users?
I have just begun the course with my students so a new start would not be catastrophic, but, I'd like to prevent this from happening in the future.
Here is a video that shows what happens:
https://drive.google.com/file/d/1th5f_lfNxYLC5niSU_qA31y6wnDXiD2Z/view?usp=sharing
This also happens when trying to link a system account.
Any suggestions?
Thank you in advance.
The 403 Forbidden error screen you shared had what appeared to be 'helpful links' - couldn't make out exactly what it said (copy and paste of text to this forum would have been better, BTW).
* One of them mentioned .htaccess ... the others? .htaccess errors are apache config issues, typically.
With Google oauth2, if the errors are coming from Google, you should be seeing a Google screen of some sort. The 403 errors seem to be coming from your server.
So far we know Site 5 ... but other than that, not much to go on to make any suggestions other than * above.
Can you access apache error logs on your server?
Have you turned on debugging in Moodle to see what it might report?
Also wouldn't hurt to mention what version of Moodle and if you are using a 3rd party plugin for Oauth2 authentication to Google.
'spirit of sharing', Ken
Thank you for your help.
Moodle version = 3.5.2
Using the built in Oauth2 plugin
The 403 Errors are default from the server which reads:
deny from all AllowOverride None Note: this file is broken intentionally, we do not want anybody to undo it in subdirectory!
Opps ... might be too much info ... however:
In attempts to login to your site using Google:
403. That’s an error.
Error: org_internal
Application: Fabled Learning
** This client is restricted to users within its organization.**
The above is the key, me thinks.
Have never seen that and I have several sites that use Google's authentication! But, sites are not restricted to a domain, etc. Does your school have/use a Google for Education domain?
So the only thing I can suggest is to review the entire setup.
https://docs.moodle.org/35/en/OAuth_2_Google_service
'spirit of sharing', Ken
I have reviewed the setup and tried creating a new google console project with new credentials: It did not work.
I tried setting up Facebook oauth2 and that seems to work fine.
We do have a Google Education Domain, and I do not have full admin privileges, but I can still create a project with credentials. Maybe this is the culprit?
However, I tried creating Google oauth2 credentials with a personal gmail account and received the same 403 error.
I've put in several tickets with my hosting provider.
I've been looking at error logs:
Here in auth/oauth2:
[14-Sep-2018 11:39:20 America/New_York] Default exception handler: Your session has most likely timed out. Please log in again. Debug: Error code: invalidsesskey * line 482 of /lib/setuplib.php: moodle_exception thrown * line 85 of /lib/sessionlib.php: call to print_error() * line 30 of /auth/oauth2/login.php: call to require_sesskey()
[14-Sep-2018 20:32:17 America/New_York] Default exception handler: A required parameter (code) was missing Debug: Error code: missingparam * line 482 of /lib/setuplib.php: moodle_exception thrown * line 573 of /lib/moodlelib.php: call to print_error() * line 45 of /admin/oauth2callback.php: call to required_param() [14-Sep-2018 21:17:30 America/New_York] Default exception handler: error/access_denied Debug: Error code: access_denied $a contents: * line 482 of /lib/setuplib.php: moodle_exception thrown * line 39 of /admin/oauth2callback.php: call to print_error()
Will send to your other gmail account my contact info and other information.
Think we are needing to share information which should not be posted in a public forum.
Ken
I have the same problem with OAuth with Google, I change the configuration and create a new ID on console and have the same error, if you solved the problem plz help us
Thank You
I'm having the same problem. error_log files show similar errors as above, and Chrome's dev tools show a 403 error at https://student.pillar.edu/admin/oauth2callback.php?state=/auth/oauth2/login.php?wantsurl%3Dhttps%253A...
Login works fine when all users are logged out of Google. If a user is already logged in to Google (including the user logging in to Moodle), I get the error.
Any thoughts?
What are ownerships/permissions on moodledata/sessions/ ? You are using files instead of DB, correct?
403 is access denied. Mind sharing a screen shot of the 403 screen users get? Moodle error screens and apache/iis operating system error screens are not the same.
The first error reported above in another posting, references this line:
Line 482 of lib/setuplib.php ... is in this sectiion .... comment above the line:
/**
* Abort execution by throwing of a general exception,
* default exception handler displays the error message in most cases.
*
* @param string $errorcode The name of the language string containing the error message.
* Normally this should be in the error.php lang file.
* @param string $module The language file to get the error message from.
* @param string $link The url where the user will be prompted to continue.
* If no url is provided the user will be directed to the site index page.
* @param object $a Extra words and phrases that might be required in the error string
* @param string $debuginfo optional debugging information
* @return void, always throws exception!
*/
function print_error($errorcode, $module = 'error', $link = '', $a = null, $debuginfo = null) {
throw new moodle_exception($errorcode, $module, $link, $a, $debuginfo);
If one is already logged onto google, what. does one see via:
https://myaccount.google.com/
Have there been any EMail notifications about the system account used for config of Oauth2 needs to refresh token?
There is a scheduled task for refreshing the system account:
Refresh OAuth tokens for service accounts - default is to run every 30 minutes. What happens if you 'run now'?
Have found that IF I take of that notice as soon as I get the EMail, no issues. If I wait a day ... might be getting a notice often via EMail ... I then have trouble getting things back in sync and the Google Oauth2 logins working again.
'spirit of sharing', Ken
Thank you for the quick response, Ken.
I know enough to be the one my college put on this troubleshooting job, but not enough to fix the problem or even answer all your questions. (Not a really good position to be in!)
After playing more with the site I managed to break something else, so I have no screenshots at the moment. But I'll get it working. Oh, yes, I WILL get this working! (Worst case I'll get it working enough that I can update this post with screenshots.)
What are ownerships/permissions on moodledata/sessions/ ? You are using files instead of DB, correct?
Permissions on moodledata/sessions/ are 755, and yes, using files.
403 is access denied. Mind sharing a screen shot of the 403 screen users get? Moodle error screens and apache/iis operating system error screens are not the same.
I see the 403 error in Chrome's Developer tools. Part of my problem is I can't see user errors. After logging in to Google, the page returns to https://student.pillar.edu/admin/oauth2callback.php but shows the home page (student.pillar.com/index.php)
The first error reported above in another posting, references this line:
Line 482 of lib/setuplib.php ... is in this sectiion .... comment above the line:
/**
* Abort execution by throwing of a general exception,
* default exception handler displays the error message in most cases.
*
* @param string $errorcode The name of the language string containing the error message.
* Normally this should be in the error.php lang file.
* @param string $module The language file to get the error message from.
* @param string $link The url where the user will be prompted to continue.
* If no url is provided the user will be directed to the site index page.
* @param object $a Extra words and phrases that might be required in the error string
* @param string $debuginfo optional debugging information
* @return void, always throws exception!
*/
function print_error($errorcode, $module = 'error', $link = '', $a = null, $debuginfo = null) {
throw new moodle_exception($errorcode, $module, $link, $a, $debuginfo);
I see that line as shown here. Not sure what to make of it, though.
If one is already logged onto google, what. does one see via:
This page shows what I would expect (attached). If there is something else you need to see, just let me know.
Have there been any EMail notifications about the system account used for config of Oauth2 needs to refresh token?
Nothing
There is a scheduled task for refreshing the system account:
Refresh OAuth tokens for service accounts - default is to run every 30 minutes. What happens if you 'run now'?
Not sure where to find this. Is this in Moodle or Google?
Have found that IF I take of that notice as soon as I get the EMail, no issues. If I wait a day ... might be getting a notice often via EMail ... I then have trouble getting things back in sync and the Google Oauth2 logins working again.
Thank you again for your help! I will post more info as I find it. And if (when!) I find a solution I will post it. Any input in the meantime will be greatly appreciated.
There has been at least one other poster that had similar issue with 403's ... not resolved, BTW. The 403 screen shared appeared to be a Site 5 error screen - not a Moodle screen and had to do with an .htaccess file using suPHP (no longer supported nor updated). Dunno of poster gave up or worked with provider to fix it or not.
If your server is running 'protective' additions ... like suPHP or some such ... they could be the problem.
The refresh token task can be found in the task list.
https://yourserver/admin/tool/task/scheduledtasks.php
There is a run now link for it.
Google can hickup from time to time ... just like everything else. The trouble with such setups, Google, really doesn't have a place for one to go to look at error logs ... at least I've never found such a thing.
The bottom line ... you are going to have to learn your system and how to admin it ... that isn't the focus of these forums. Not that folks don't want to help ... but such issues could be very time consuming ... and for free? Best anyone could do is 'educated guesses' and even those could be sending you down a rabbit hole! :\
'spirit of sharing', Ken
Thank you, Ken! I still have not solved the problem, but your input has been extremely helpful. If/when I solve the problem I will post here for those having similar problems.
