Google contacts authentication problem with U-O-A (Trusty,Vivid - Unity7)

Bug #1399953 reported by Khurshid Alam
40
This bug affects 8 people
Affects Status Importance Assigned to Milestone
account-plugins (Ubuntu)
Invalid
High
Unassigned
evolution-data-server (Ubuntu)
Expired
High
Unassigned

Bug Description

I simply can not access Google-Contacts with Ubuntu Online Accounts. After I enabled EDS contacts, If I open evolution & click on the address-book list, it shows following error:

"GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._e_2dclient_2derror_2dquark.Code5: Authentication required".

I tried to revoke access for UOA from google accounts, & re-authorize it. But it did not help. However google-calendar integration is working fine. And if log into gnome-shell & add my Google account in Gnome-Online-Accounts(G-O-A), contacts works as well. The problem only appearing for google-contacts in UOA. And I couldn't find anything significant in syslog.

I have multiple google accounts enabled in UOA.

Here is some more information:

khurshid@mypc:~$ ag-tool list-enabled 11
----------------------------------------------------------------------
Type Service Name
---- ------------
IM google-im
contacts google-contacts
documents google-drive

khurshid@mypc:~$ account-console show 11 | grep Cred
--------------------------------------------------------------------------------------
CredentialsId: 14 (<class 'int'>)

khurshid@mypc:~$ strings ~/.cache/signon-ui/cookies/14.jar
---------------------------------------------------------------------------------------
<GALX=IZLpIn1Fakc; secure; domain=accounts.google.com; path=/
GAPS=1:9VjmZnLpxD0TzDbRqMElmGKRyLMg:qrKFg6yRv_4g6hT; secure; HttpOnly; expires=Tue, 29-Nov-2016 13:35:15 GMT; domain=accounts.google.com; path=/
NID=67=goKtbf0sx5dy_HuXXCG5EEfPfrTKyL_7iIDBf5aNjaA843PF1lAu3pbDjY5jvH5s-FcY81k_a-0gQpI7RymkAq_apdelo_lpkPrnVW_q7N6h8_a59sN3iNKhGJ5G_dsgYf56FT; HttpOnly; expires=Mon, 01-Jun-2015 13:35:15 GMT; domain=.google.com; path=/
SID=DQAAAPEAAACXK66HAgH7SV83LSOjKN_ZQPiR7qCeL7Yk9p98HlYTGNET_CH2lTTWvj2jPhQasPf78TcT0cc_lRNO7wU-TuXQl2JPj28PJXaxxbX1NZBYrt-qdhtTwrRk2qiewRN1QPH2AuYtaJTsbX5PNsy-o-uxiFGCTD5u0QTYOTdGvCu1UD9lZs5fUdtLbq; expires=Tue, 29-Nov-2016 13:35:15 GMT; domain=.google.com; path=/
LSID=lso|s.IN:DQAAAPAAAMxO_ttZTWoynoEsoHEt_zDEgk7pXkbqdQ9bnogq4HcnCNOAM8nxRsnqBWLmTF5AkgWc0XY-qjU_SI_K9JX_pBpaIAtq0o1hBZD0sbQB_Lw81Twwqewnj4J68K3aS0OcVnEm_S0G_MBtzbV-T26lcxwHGheh8mhtUpIDdUnvpjdFbQTe-fLwd4UsTku7s; secure; HttpOnly; expires=Tue, 29-Nov-2016 13:35:15 GMT; domain=accounts.google.com; path=/
cHSID=AYLDuiTZv-sSOmfy; HttpOnly; expires=Tue, 29-Nov-2016 13:35:15 GMT; domain=.google.com; path=/
kSSID=AqfiEDXUGfWBBl9; secure; HttpOnly; expires=Tue, 29-Nov-2016 13:35:15 GMT; domain=.google.com; path=/
lAPISID=Q0uvxSM2ZHgNs8L4/AR76LUN_S_xqCq2; expires=Tue, 29-Nov-2016 13:35:15 GMT; domain=.google.com; path=/
uSAPISID=bcf2oH6xaV8r1-/AIol-KZlQU551Z0uT; secure; expires=Tue, 29-Nov-2016 13:35:15 GMT; domain=.google.com; path=/
ACCOUNT_CHOOSER=AFx_qI6UxIzXMxLi2j9QUAAymv8WTOJR; secure; HttpOnly; expires=Tue, 29-Nov-2016 13:35:15 GMT; domain=accounts.google.com; path=/
NID=67=I2DxXlt4TwixPqUzJOOKAUifcVobnGLasEaA31uwxPwfORegpkxpdcdUK-upq-8V2ZB5FDFGJEb3K4T5rZVyI7cBN2ZpGZwLQrwBLggtz1KBJTK_eA; HttpOnly; expires=Mon, 01-Jun-2015 13:35:18 GMT; domain=.google.co.in; path=/
SID=DQAAAPAAAACXK66HAgH7SV83MLSOjKN_ZQPiR7qCeL7Yk9p98HYTGNET_CH2lTTWvj2jPhQasPf78TcT0cc_lRNOGRjTjTmV2maEhHLzTqJFQ-TMDyKueBLR_-4fcC2gUW-0lALMCuGaaTY0DX7wU-TuXQl2JPj28PJXaxxbX1NZBYrt-qdhtTwrRk2qieuSYguA2bKAdnvxtmKfD9ElQoSc; expires=Tue, 29-Nov-2016 13:35:18 GMT; domain=.google.co.in; path=/
eHSID=Au4nSmb8XraQ99XrQ; HttpOnly; expires=Tue, 29-Nov-2016 13:35:18 GMT; domain=.google.co.in; path=/
mSSID=ACnCCS4X8GYIqpMrF; secure; HttpOnly; expires=Tue, 29-Nov-2016 13:35:18 GMT; domain=.google.co.in; path=/
nAPISID=Q0uvxSM2ZHgNs4/AR76LUN_S_XVxqCq2; expires=Tue, 29-Nov-2016 13:35:18 GMT; domain=.google.co.in; path=/
wSAPISID=bcf2oH6YWx8r1-/AIol-KZlQU551Z0uT; secure; expires=Tue, 29-Nov-2016 13:35:18 GMT; domain=.google.co.in; path=/
LSOSID=DQAAAPnyGDiPN1Xi8giBFN-FOwwjVkTtCvqAaxuOg4mLjKW1k_NqKdZh; secure; HttpOnly; expires=Tue, 29-Nov-2016 13:35:19 GMT; domain=accounts.google.com; path=/o

version:
--------------------------------------------------------------------
libaccount-plugin-google: 0.11+14.04.20140409.1-0ubuntu1
evolution-data-server: 3.10.4-0ubuntu1.5

Tags: trusty vivid
description: updated
description: updated
Revision history for this message
Alberto Mardegan (mardy) wrote :

I can reproduce this as well. I'll try to figure out what's happening.

Changed in account-plugins (Ubuntu):
status: New → Confirmed
Revision history for this message
Alberto Mardegan (mardy) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in evolution-data-server (Ubuntu):
status: New → Confirmed
Revision history for this message
J (tigermonkey33) wrote :
Revision history for this message
Khurshid Alam (khurshid-alam) wrote :

I can reproduce this bug in Vivid as well (evolution-data-server 3.12.9-0ubuntu2).

@Jonathan Yes, when we are authenticating separately with evolution or through Gnome-Online-Accounts, it works. Only time its fails when it tries to authenticate google-contacts through Ubuntu-Online-Acoounts. May be something wrong with google-contacts apikey/token that UOA uses?

Also the workaround doesn't work for application which depends on UOA. For example, Ubuntu generates extra binary (syncevolution-provider-uoa) for syncevolution to make it work with UOA. But when following command is executed,

SYNCEVOLUTION_DEBUG=1 syncevolution --print-databases --daemon=no loglevel=2 backend=carddav username=uoa:3,google-contacts syncURL=https://www.googleapis.com/.well-known/carddav

it gives "Access denied ; Neon error code 1: 403 Forbidden" error.

summary: - Google contacts authentication problem with U-O-A (Trusty, Unity7)
+ Google contacts authentication problem with U-O-A (Trusty,Vivid -
+ Unity7)
tags: added: vivid
Changed in account-plugins (Ubuntu):
importance: Undecided → High
Changed in evolution-data-server (Ubuntu):
importance: Undecided → High
Revision history for this message
Joshua Hughes (josh-highjinx) wrote :

I deleted my default keyring and all accounts in UOA. After a restart, I re-created the online accounts and a new default keyring. The Google Contacts worked the first time I opened Evolution; however, it failed again after subsequent restarts/reopening.

Revision history for this message
Khurshid Alam (khurshid-alam) wrote :

@josh It is supposed get new access token with refresh token, but from your problem it seems it is using same old token.

Anyway, why is "evolution-data-server" marked as affected for this bug? Shouldn't it be "evolution-data-server-online-accounts"?

Revision history for this message
Alberto Mardegan (mardy) wrote :

The Contacts feature on the Google account console for the Evolution application was disabled, for some reason. After re-enabling it, I could successfully retrieve my contacts.
If you were affected by this bug, please try again; if it still does not work, you might need to delete your Google account from the System Settings -> Online Accounts app and recreate it (this will only delete your local account data: your Google account won't be affected).

Changed in account-plugins (Ubuntu):
status: Confirmed → Invalid
Changed in evolution-data-server (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Khurshid Alam (khurshid-alam) wrote :

@Alberto

I recreated my google account (on Trusty) from online accounts. Even though it, now, works with Evolution, it still fails with Syncevolution.

For example, running

SYNCEVOLUTION_DEBUG=1 syncevolution --print-databases --daemon=no loglevel=2 backend=carddav username=uoa:3,google-contacts syncURL=https://www.googleapis.com/.well-known/carddav

command gives following error:

.....
[DEBUG 00:00:00] got new OAuth2 token 'ya29.JAEq2bKxAfDFCPt7SuT78O3h7NHylDFRMbtngLG99LlSOMK1khbT7_yX' for next request
[DEBUG 00:00:00] using OAuth2 token 'ya29.JAEq2bKxAfDFCPt7SuT78O3h7NHylDFRMbtngLG99LlSOMK1khbT7_yX' to authenticate
[DEBUG 00:00:01] PROPFIND: Neon error code 1: 403 Forbidden, must not retry
[DEBUG 00:00:01] exception thrown at src/backends/webdav/NeonCXX.cpp:789
[DEBUG 00:00:01] error code from SyncEvolution access denied (remote, status 403): PROPFIND: Neon error code 1: 403 Forbidden
[DEBUG 00:00:01] read relevant properties of https://www.googleapis.com:443/.well-known/carddav
[DEBUG 00:00:01] starting PROPFIND, credentials unverified, deadline in 298.5s
[DEBUG 00:00:01] using OAuth2 token 'ya29.JAEq2bKxAfDFCPt7SuT78O3h7NHylDFRMbtngLG99LlSOMK1khbT7_yX' to authenticate
[DEBUG 00:00:01] PROPFIND: Neon error code 1: 403 Forbidden, must not retry
[DEBUG 00:00:01] TransportStatusException: PROPFIND: Neon error code 1: 403 Forbidden
......

Any idea why?

Note: However it does NOT occur with calendar(caldav).

Revision history for this message
Khurshid Alam (khurshid-alam) wrote :

@Alberto

From the discussion with Patrick on the syncevolution mailing-list (http://is.gd/0vuxN4) it seems "CardDav" scope is not enabled for the particular google "client_id" that UOA is using . If that is the case could please enable it?

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for evolution-data-server (Ubuntu) because there has been no activity for 60 days.]

Changed in evolution-data-server (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.