-
Bug
-
Resolution: Fixed
-
Low
At present, if the person who established the link between Google Apps and Atlassian Cloud has their administrative rights revoked then the link will break. This should not need to be the case as users will leave the company, or role, or may only have temporary rights so that they can establish the link.
This can lead to a confusing situation for many customers when Google Apps just suddenly stops working.
Workaround
Follow the guide https://confluence.atlassian.com/display/CLOUDKB/Google+Apps+users+experiencing+%27Unexpected+error+in+the+authentication+system%27+when+logging+in for potential workarounds.
- mentioned in
-
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page")
Page
Failed to load
![[Atlassian Documentation] Page](https://confluence.atlassian.com/images/icons/favicon.png "[Atlassian Documentation] Page"){kind=icon}
[ID-189] "Sign in with Google" stops working when the establisher ceases to have administrative access in Google Apps
This can be a higher-impact issue for customers than it sounds like you appreciate. Here's what we just experienced:
- the person who happens to have originally configured the Atlassian / Google integration leaves the company, and their account is disabled.
- nobody else, administrators included, can now log in to Atlassian
- this means that nobody can follow the workaround to delete/re-add the google integration under a different account
Furthermore, while you say this is a limitation of using OAuth with Google, that is empirically not true: we use a number of hosted tools that authenticate with Google accounts, and this is the only one that failed when the user in question had their account disabled. Surely there's a way of implementing Google OAuth without tying it to one specific user's individual account?
(Incidentally, we were able to resolve this by re-enabling the account in question for long enough for another admin to log into Atlassian and change the Google integration. But this seems unlikely to be viable in general.)
Eli Daniel
added a comment - - edited This can be a higher-impact issue for customers than it sounds like you appreciate. Here's what we just experienced:
the person who happens to have originally configured the Atlassian / Google integration leaves the company, and their account is disabled.
nobody else, administrators included, can now log in to Atlassian
this means that nobody can follow the workaround to delete/re-add the google integration under a different account
Furthermore, while you say this is a limitation of using OAuth with Google, that is empirically not true: we use a number of hosted tools that authenticate with Google accounts, and this is the only one that failed when the user in question had their account disabled. Surely there's a way of implementing Google OAuth without tying it to one specific user's individual account?
(Incidentally, we were able to resolve this by re-enabling the account in question for long enough for another admin to log into Atlassian and change the Google integration. But this seems unlikely to be viable in general.) I have reworded this as a bug rather than a suggestion. Note, however, that this is not something we can reasonably fix on our side as it is a limitation of using OAuth under a user's account.
To avoid the problem we can look at making this more obvious in Cloud admin and calling it out in our documentation.
This issues is fixed as part of new Atlassian cloud - G Suite integration. Please raise this ticket if you are still facing this issue.