Error: deleted_client - Google/OAuth login stopped working?


#1

Hi,

We’ve been happily using our own installation of Phabricator configured to allow login through Google/OAuth for at least a year now.

For various reasons we needed to reboot our server yesterday, and since then we’ve been seeing the following:

  1. Navigate to our phabricator URL.
  2. Redirect to the Auth > Login page with the “Log In or Register / Google” button.
  3. Hit the login button, and end up on a Google page that says:
  1. That’s an error.

Error: deleted_client
The OAuth client was deleted.
Request Details
client_id=877249565377-agmeq3s8ouoqntc2adufe3m98bcb807b.apps.googleusercontent.com
scope=email profile
redirect_uri=https://phabricator2.iha.org/oauth/google/login/
state=98b28fd0da3de2a388236bffa4c7e203ec9a9614
response_type=code
That’s all we know.
Is there something that we might be missing with our setup? Thanks!


#2

From a quick googling, it looks like this just means your oauth app in google was disabled or deleted.
Possible reasons include “Google changed terms and you need to sign again”, or “it was a developer account and has timed out”, or many other things.

You need to find the existing google app and figure out why it’s out. If it was really deleted, you’ll need to create a new one.


#3

Hi, thanks. I think I’ve seen the same links that you’re referencing.
Since Phabricator itself is the application in this case I’m not in control of the developer account, which is why I was posting the question here.


#4

When you configure oauth in Phabricator, you need to create an Application entry in Google, and paste the secret in Phabricator; Phabricator doesn’t create it for you.
You can see the application id (and maybe the secret too) in phabricator under /auth -> configure Google.


#5

Ok thanks, that makes sense then.
… and I just learned about phabricator/ $ ./bin/auth recover <username> so I should be able to resolve things; thanks!


#6

Hi @avivey, thanks for your previous clarification of my misunderstanding about how OAuth configuration works.
We’re still having a problem, however.

I was able to successfully use the administrator recovery process to re-configure Phabricator with a new application client id and secret to connect Phabricator with Google’s oauth/identity server.

However, when another user tried to log into Phabricator, they were told that their account already existed (which is true), and that they would need to link their existing account with the Google’s external account through the settings for their user. But since they can’t log in, they aren’t able to complete this process. I’m an administrator on our site, but when I go to that user’s “manage” page I’m unable to access their settings to complete the process for them.

  1. Is there a way to configure myself as a “super admin” so that I can configure other user’s settings?
  2. Or, is there a way to link a user’s account to an external account through the command line?
  3. Or, is there a way for the user to login in a different way into their “existing account”? (Like the administrator recover but for normal users?)
  4. Or is there another alternative that I’m not considering?

I was able to resolve the situation for this particular user by making them an administrator and then using the administrator recover process to get a link that gets them into their account, but it would be great if I didn’t have to go through those steps for other users who encounter this problem.

Thanks!


#7

I think the only way to move forward now is for each user to get the “forgot password” email, login through that, and then either “refresh” the login or unlink and link again. An admin can send the user the “Send Welcome Email”, which is the same thing, only funnily named.

For the specific questions:

  1. “Super admin” - no, there’s no such thing. The way to do things you can’t normally is all via the CLI tools.
  2. re-link from the cli - I don’t think so; I think that would require to be able to log into Google as the user, which is obviously not possible.
  3. Another way to login - there’s the “forgot password”/“Send Welcome Email” flow. I don’t know if there’s a way to do it from the cli, but I can try to look for one tonight (I don’t have an env here).

You can maybe enable the Password login, which exposes the “forgot password” link to all users; Or maybe there’s a way to systematically send that to everybody; Or maybe http://<your install>/login/email/ would just work even if the password login?