Google Sign-In: PERMISSION_DENIED Legacy People API has not been used in project X before or it is disabled

edgewoodsoftware · February 26, 2020, 5:53pm

I’m having an issue with Google Sign-On. When I click the Google Sign In link in my keycloak instance it takes me over to Google’s Consent Screen to sign in. After I successfully sign in, it redirects me back to my app but there’s an error message on the screen saying there was a generic error that occurred.

I checked the error message in Keycloak that I’m getting. See Keycloak logs below:

Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]: 00:20:36,213 WARN  [org.keycloak.events] (default task-28) type=LOGIN_ERROR, realmId=testrealm, clientId=null, userId=null, ipAddress=XX.XX.XXX.XXX, error=identity_provider_login_failure
lines 1687-1740/1740 (END)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at java.lang.Thread.run(Thread.java:748)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]: Caused by: org.keycloak.broker.provider.IdentityBrokerException: Failed to invoke on user info url: {
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:   "error": {
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:     "code": 403,
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:     "message": "Legacy People API has not been used in project XXX before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/legacypeople.googleapis.com/
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:     "status": "PERMISSION_DENIED",
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:     "details": [
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:       {
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         "@type": "type.googleapis.com/google.rpc.Help",
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         "links": [
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:           {
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:             "description": "Google developers console API activation",
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:             "url": "https://console.developers.google.com/apis/api/legacypeople.googleapis.com/overview?project=XXX"
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:           }
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         ]
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:       }
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:     ]
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:   }
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]: }
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at org.keycloak.broker.oidc.OIDCIdentityProvider.extractIdentity(OIDCIdentityProvider.java:392)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:351)
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]:         ... 72 more
Feb 26 00:20:36 ip-XXX-XX-XX-XXX standalone.sh[4630]: 00:20:36,213 WARN  [org.keycloak.events] (default task-28) type=LOGIN_ERROR, realmId=testrealm, clientId=null, userId=null, ipAddress=XX.XX.XXX.XXX, error=identity_provider_login_failure

It looks like Google has deprecated the Legacy People API that Keycloak uses for Google Login.

The Legacy People API can no longer be used or enabled. Was there a recent release of Keycloak that uses the new Google People API endpoints, or can I configure Keycloak to use the new API endpoints somewhere?

edgewoodsoftware · February 27, 2020, 9:45pm

I see there was a change to services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java done 14 months ago to support the new API endpoints that was part of KEYCLOAK-9169 which it looks like was part of the 4.8.3-Final release.

Topic		Replies	Views
Unable to integrate Keycloak with any identity provider Securing applications	2	1765	December 19, 2022
Error trying to sing up with google account in local machines Configuring the server authentication , identity-brokering	6	2565	June 4, 2021
[KC 16.1.1] Google identity provider is not able to complete authentication due to broken DNS query Getting advice authentication	0	578	May 1, 2022
Failed to make identity provider oauth callback: java.net.UnknownHostException: oauth2.googleapis.com: System error	0	412	June 15, 2023
Issue with Google OAuth - https://oauth2.googleapis.com:443: Network is unreachable (connect failed) authentication	1	596	February 27, 2023

Google Sign-In: PERMISSION_DENIED Legacy People API has not been used in project X before or it is disabled

Related Topics