API autentication with sso login

General Discussions
,
1

hi all I’m using my google account to get connected to mender UI
I’m about to try to setup a pre-authorization process and try to get access to rest API
but how can I do when using a google account when trying to get the JWT even if I enter my google account pass it will not work as sso auth dont work like this …
if anyone has an idea how to get this working ?

2

Can you share specific commands you are executing that are not working?

Drew

3 
$ MENDER_SERVER_URI='https://hosted.mender.io'
$ MENDER_SERVER_USER='myemail'
$ JWT=$(curl -X POST -u $MENDER_SERVER_USER $MENDER_SERVER_URI/api/management/v1/useradm/auth/login)

but as my account is google linked one ( and not a mender sub)

$ source env.sh
Enter host password for user '<myemail>':
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    76  100    76    0     0    110      0 --:--:-- --:--:-- --:--:--   110
$ echo $JWT
{"error":"unauthorized","request_id":"10f8b728-31fa-455c-aa60-33ccc8202e77"}

i have tested with a blank new account created on mender ui and it work great except I cant attach it to my existing organization ( I supressed the second account and tried to create a new used under my first account organisation and I get :

There was an error creating the user. internal error [Request ID: 1c9a3fea]

4

ok I found another solution by adding another non pre existing user

5

OK. I’m not sure how the Google account linking works. It may indeed be a limitation that 2FA based Google accounts cannot use the API.

@tranchitella can you comment?

Drew

6

@profff what you found out is correct: you cannot use OAuth 2.0 users (Google/GitHub) to get programmatic access to the APIs. You need to create a standard/password-based user in your tenant and use that to authenticate before consuming the APIs end-point.

If you still have issues with your users, feel free to reach the support by email, and we’ll fix it: an email address can be linked to a single tenant only; if you have multiple trial tenants adding the same email address as a user can fail.

7

thank’s all for your help

8

@tranchitella Is this still the case in March 2023?
“you cannot use OAuth 2.0 users (Google/GitHub) to get programmatic access to the APIs.”

9

Correct @kbroughton