Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Suadad Najim. لجنة المتابعة المركزية -
Number of replies: 17

Hello , please who can help me with the following error ? I got it when I try to use Oauth2  to login to moodle using Google accounts , the Moodle version used  is 3.11 

Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

More information about this error

×Debug info:
Error code: oauth2upgradetokenerror
×Stack trace:
  • line 580 of /lib/oauthlib.php: moodle_exception thrown
  • line 251 of /lib/classes/oauth2/client.php: call to oauth2_client->upgrade_token()
  • line 479 of /lib/oauthlib.php: call to core\oauth2\client->upgrade_token()
  • line 276 of /lib/classes/oauth2/client.php: call to oauth2_client->is_logged_in()
  • line 620 of /lib/classes/oauth2/api.php: call to core\oauth2\client->is_logged_in()
  • line 178 of /admin/tool/oauth2/issuers.php: call to core\oauth2\api::connect_system_account()

Average of ratings: -
In reply to Suadad Najim. لجنة المتابعة المركزية

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Ken Task -
Picture of Particularly helpful Moodlers

https://docs.moodle.org/311/en/OAuth_2_services

https://docs.moodle.org/311/en/OAuth_2_services#Refreshing_Access_Token

https://docs.moodle.org/311/en/OAuth_2_Google_service

In /admin/tool/oauth2/issuers.php
does the Google setup show all checks 'green'
How about system account connected?

In Scheduled Task
admin/tool/task/scheduledtasks.php

Refresh OAuth tokens for service accounts \core\oauth2\refresh_system_tokens_task

What happens if you 'run now' @ the above task?

'SoS', Ken

Average of ratings: -
In reply to Ken Task

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Suadad Najim. لجنة المتابعة المركزية -
Thanks for your interest....
Yes ,I have problem with with google checks as shown as bellow:
system account connected
I get the error showed int the previous post when I try to connect with system account or login  to Moodle with google account.
I hope your help in details because I'am have little information in Moodle.
Average of ratings: -
In reply to Suadad Najim. لجنة المتابعة المركزية

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Ken Task -
Picture of Particularly helpful Moodlers

Last line of your debug:
line 178 of /admin/tool/oauth2/issuers.php: call to core\oauth2\api::connect_system_account()

In the "Google checks" (as you call it), the System Account shows a red X ... meaning it needs to be relinked.
Click the [-> icon.   That is to launch the Google end's Oauth2 Auth application (API).

You must use the same Google Account you used before in setup of Oauth2.  It's the account that has 'control' over the Google end API.   Where one setup Google end config ...

Review:

https://docs.moodle.org/311/en/OAuth_2_Google_service

and use:

https://console.developers.google.com/

If you had this working before, you do not have to setup a new Google Project.  Use the one used before.

Make sure the call back url in the Google End setup is correct for your site.

'SoS', Ken

Average of ratings: -
In reply to Ken Task

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Ken Task -
Picture of Particularly helpful Moodlers

Follow up ... on the google end of config ... there are 3 tabs.

Must do all three tabs.

Verify Domain (that you are in control of the server).
I use the option for a static web page verification.
Google generates the contents of that page and tells you to name the .html file with a certain name.

Looks like - note: name of file and the verification code is an example and not one that is used ... to the best of my knowledge:

google23423gszslem34.html

Contents looks like:
google-site-verification: google23423gszslem34.html

I also have created a static terms of service page (tos.html) and
a privacy page (privacy.html) and put them at the root of document root on server -

NOT in Moodle content.  

In your case, if your moodle is at document root for the web server, those are pages that reside in the moodle code directory.

IF ... IF ... you update/upgrade your moodle using original directions that tell you to move out old code, acquire new, then copy back in config.php and plugins, you must also copy back in the google verification page, the TOS page, and the Privacy page.

'SoS', Ken

Average of ratings: -
In reply to Ken Task

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Suadad Najim. لجنة المتابعة المركزية -

Thanks again Mr. Ken , I tried to apply your solutions like:
Google Drive repository and Google Drive converter setting and they give me a new screen (the google drive screen ) for system account ,I consider it a good thing ,but the error message still the same .
11

Now I need your help to refresh token, my question is: what the path of \core\oauth2\refresh_system_tokens_task please ?
Average of ratings: -
In reply to Suadad Najim. لجنة المتابعة المركزية

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Ken Task -
Picture of Particularly helpful Moodlers

You did click 'Allow', right?

In moodle config of oauth2, scopes ... default is:

openid profile email

add to end of those above the following URL

https://www.googleapis.com/auth/drive

in both scopes boxes.

token refresh via CLI:

cd path/to/code/admin/tool/task/cli

php schedule_task.php --list |grep token

should show: \core\oauth2\refresh_system_tokens_task

execute just token refresh

php schedule_task.php --execute="\core\oauth2\refresh_system_tokens_task"

IF you set path to php-cli in moodle paths, you can use admin UX and 'run now' link in the row for that task.

 'SoS', Ken

Average of ratings: -
In reply to Ken Task

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Suadad Najim. لجنة المتابعة المركزية -
Yes , I clicked 'Allow'.
and then I did the following :
Replaced the two boxes with the URL given by you. Right??
3
And then I tired to access 
core\oauth2\refresh_system_tokens_task   to refresh it
but I didn't found (RUN)
the next post contain the screens for 
core\oauth2\refresh_system_tokens_task



Average of ratings: -
In reply to Suadad Najim. لجنة المتابعة المركزية

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Suadad Najim. لجنة المتابعة المركزية -

5 4

Average of ratings: -
In reply to Suadad Najim. لجنة المتابعة المركزية

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Ken Task -
Picture of Particularly helpful Moodlers

Both scopes boxes should have:

openid profile email https://www.googleapis.com/auth/drive

in them.

IF you set path to php-cli in moodle paths then the
"Run Now" will appear.

https://yoursite/admin/settings.php?section=systempaths

First box: Path to PHP CLI ... normally that's /usr/bin/php

'SoS', Ken

Attachment Screen Shot 2021-09-01 at 4.55.41 PM.png
Attachment Screen Shot 2021-09-01 at 4.57.32 PM.png
Average of ratings: -
In reply to Ken Task

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Suadad Najim. لجنة المتابعة المركزية -
Thank you Mr. Ken
1- I managed to run it ,but got the following warning messages :
6
2- I would like you can check and tell me what the URL for the  userinfo_endpoint? because it not cleared in the JOSN file ,I have only the following information in the JOSN file( ID,    secret ,    auth_uri,      token_uri,    auth_provider,   redirect_uris)

Average of ratings: -
In reply to Suadad Najim. لجنة المتابعة المركزية

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Ken Task -
Picture of Particularly helpful Moodlers

escapeshellarg() has been disabled for security reasons
passthru() has been disabled for security reasons.

So it looks like your server config isn't allowing.

https://php.net/manual/en/function.escapeshellarg.php
https://www.php.net/manual/en/function.passthru.php

"I would like you can check and tell me what the URL for the  userinfo_endpoint?"

see attached screen shot ... you should not have to manually enter those!

Uhhh .... you can pull up those files it was warning about and see what code is on those lines just as well ... so time for you to dig on your own system ... don't you think?

There is a setting in the setup of Google Oauth2 ...

Authenticate token requests via HTTP headers

a check box.

/admin/tool/oauth2/issuers.php?id=1&action=edit

Mine is un-checked.

'SoS', Ken

Attachment Screen Shot 2021-09-01 at 10.52.24 PM.png
Average of ratings: -
In reply to Ken Task

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Suadad Najim. لجنة المتابعة المركزية -
errorsHello Mr.Ken ...
I Hope a nice day for you...
We tried to change the setting of escapeshellarg() and passthru() but we also get a list of errors some of them the same of the previous , the following screenshot display the errors:

I would like to ask you to determine the place of the problem
Average of ratings: -
In reply to Suadad Najim. لجنة المتابعة المركزية

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Ken Task -
Picture of Particularly helpful Moodlers

Is Service Account 'green' or 'checked'?

Also, that account is used to setup the IAM.   There is more than just the Credentials setup where one sets call back url, java script and sees/gets secret/key to use in Moodle.

Is that account a true 'service' account on the Google end?

On the Google end, have you set up all related configs ... see screen shot attached.


Attachment Screen Shot 2021-09-17 at 5.43.26 PM.png
Average of ratings: -
In reply to Suadad Najim. لجنة المتابعة المركزية

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Ken Task -
Picture of Particularly helpful Moodlers

From command line, in code/admin/cli/ of a 3.11 highest version of Moodle, as root user, execute:

php scheduled_task.php --execute="\core\oauth2\refresh_system_tokens_task"

That will/should show:

Execute scheduled task: Refresh OAuth tokens for service accounts (core\oauth2\refresh_system_tokens_task)
... started 08:40:27. Current memory use 14MB.
... used 4 dbqueries
... used 0.05607795715332 seconds
Scheduled task complete: Refresh OAuth tokens for service accounts (core\oauth2\refresh_system_tokens_task)

NOTE: the last line ... tokens for service accounts.

So if the Service Account you've set in Moodle hasn't been fully setup on the Google end, I would think you'd see issues on the moodle end.

'SoS', Ken

Average of ratings: -
In reply to Suadad Najim. لجنة المتابعة المركزية

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

HTTP status for remote endpoint: 0 means that Moodle is not getting a response to its request to the OAuth 2 endpoint.

If there's no response then possibly Moodle can't actually make the HTTP request, it may be blocked by SELinux or a firewall.

(The OAuth 2 endpoint is the URL for the OAuth 2 function Moodle is trying to perform as listed under Configure endpoints for the service).

Average of ratings: -
In reply to Leon Stringer

Re: Could not upgrade OAuth 2 token. HTTP status for remote endpoint: 0

by Suadad Najim. لجنة المتابعة المركزية -
Hello, thank you for your interest
I'm starting to doubt the Urls used, it may be not correct, because the JSON file which I have, it does not have the same names of required URLs, please see the file below and try to determine the URL of the user info endpoint.

"auth_uri":"https://accounts.google.com/o/oauth2/auth"

"token_uri":"https://oauth2.googleapis.com/token"

"auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs"

"redirect_uris":["https://nippur.qu.edu.iq/admin/oauth2callback.php"]

"javascript_origins":["https://nippur.qu.edu.iq"]}}
Thanks again
Average of ratings: -