Google OpenID error

[ktoczyski]

Hi,

I have configured Google realm via OpenID but it is not working. When I tried login in, I received the following message:

Login failed. Please try again (api error (status = 401: Failed to contact token endpoint: Request failed))

The same configuration works on PBS.

Another bug occurs in the user tab. When I add user to realm OpenID, a password is required.

 

[sterzy]

Login failed. Please try again (api error (status = 401: Failed to contact token endpoint: Request failed))

Sounds like your PDM host cannot reach the Google host here. Are you sure PDM is configured with sufficient access to the internet?

Another bug occurs in the user tab. When I add user to realm OpenID, a password is required.

We are aware of that and a fix has already been send to the mailing list [1].

[1]: https://lore.proxmox.com/pdm-devel/.../T/#mb1ab048f62e44b2a0c6f2a42152e6410908e8111

 

[sterzy]

Sounds like your PDM host cannot reach the Google host here. Are you sure PDM is configured with sufficient access to the internet?

You may also need to adapt the "authorized redirect URIs" on Google's side [1].

[1]: https://developers.google.com/identity/protocols/oauth2/web-server#creatingcred

 

[ktoczyski]

You may also need to adapt the "authorized redirect URIs" on Google's side [1].

[1]: https://developers.google.com/identity/protocols/oauth2/web-server#creatingcred

Yes, PDM is connected to the Internet:

pdm:~# ping accounts.google.com
PING accounts.google.com (142.250.27.84) 56(84) bytes of data.
64 bytes from ra-in-f84.1e100.net (142.250.27.84): icmp_seq=1 ttl=107 time=24.2 ms
64 bytes from ra-in-f84.1e100.net (142.250.27.84): icmp_seq=2 ttl=107 time=24.5 ms
64 bytes from ra-in-f84.1e100.net (142.250.27.84): icmp_seq=3 ttl=107 time=24.4 ms
64 bytes from ra-in-f84.1e100.net (142.250.27.84): icmp_seq=4 ttl=107 time=24.4 ms
64 bytes from ra-in-f84.1e100.net (142.250.27.84): icmp_seq=5 ttl=107 time=24.3 ms
^C
--- accounts.google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 24.234/24.352/24.499/0.093 ms

pdm:~# telnet accounts.google.com 443
Trying 142.250.27.84...
Connected to accounts.google.com.
Escape character is '^]'.
^]

About URIs, I will check it out, but we use Google auth on many systems and all works ok.

 

[sterzy]

Yes, PDM is connected to the Internet:

Alright, that's good to know, thank you!

About URIs, I will check it out, but we use Google auth on many systems and all works ok.

Yes, but from my understanding each authorized redirect URI needs to configure specifically. So if you configured it for your other services and not PDM, that could explain why you are running into this issue. Hope that makes sense.

 

[ktoczyski]

Alright, that's good to know, thank you!



Yes, but from my understanding each authorized redirect URI needs to configure specifically. So if you configured it for your other services and not PDM, that could explain why you are running into this issue. Hope that makes sense.

Yes, I know about it. Our configuration (domain has been removed)

 

[sterzy]

Interesting, I'll look into setting up a reproducer here. Most of the code between pdm and pbs is shared, though, so really not sure what the difference here would be.

 

[ewysong]

I'm experiencing this problem as well. Same settings work in PBS but not from PDM.

The only line in the logs when this happens is:

Feb 05 13:13:23 pdm proxmox-datacenter-privileged-api[555]: authentication failure; rhost=[2601:803:a01:f60:f689:dc7f:e42e:5996]:45578 msg=Failed to contact token endpoint: Request failed

Screenshots attached (with Client ID/Key set to xxx for the screenshot).

@sterzy would you like a bug report submitted?

 

[sterzy]

Thanks for reporting this. Sorry I got side tracked with other projects before I could tackle this. Yes please open a bug report over at [1]. Thanks!

[1]: https://bugzilla.proxmox.com/

 

[ewysong]

@sterzy No problem, there's always lots to do! Submitted at https://bugzilla.proxmox.com/show_bug.cgi?id=7290

Thanks!

 

[gradinaruvasile]

Same issue. We use PVE and have openid setup and working, but on PDM with the exact same settings we get:

- Login errors -

2026-02-11T16:39:19+02:00: authentication failure; rhost=[::ffff:172.22.12.7]:39792 msg=Failed to contact token endpoint: Request failed

- Unable to create accounts in the console - The realm is created, it appears in the dropdown but after the required (and irrelevant) information is completed, this is the error that appears:

 

[gradinaruvasile]

If the same OpenID config works on PBS/PVE but fails on PDM, it likely points to a PDM side issue rather than misconfiguration.

Quick checks: confirm the redirect URI exactly matches the FQDN and scheme used for PDM, and rule out proxy or TLS inspection. Run:

curl https://accounts.google.com/.well-known/openid-configuration

If you see cert errors, fix the CA chain.

Since a bug is already open, adding API or syslog entries from the failed login should help the team isolate it faster.

the curl command returns this:

# curl https://accounts.google.com/.well-known/openid-configuration
{
"issuer": "https://accounts.google.com",
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"device_authorization_endpoint": "https://oauth2.googleapis.com/device/code",
"token_endpoint": "https://oauth2.googleapis.com/token",
"userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
"revocation_endpoint": "https://oauth2.googleapis.com/revoke",
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"family_name",
"given_name",
"iat",
"iss",
"name",
"picture",
"sub"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"grant_types_supported": [
"authorization_code",
"refresh_token",
"urn:ietfaramsauth:grant-type:device_code",
"urn:ietfaramsauth:grant-type:jwt-bearer"
]
}

 

[gradinaruvasile]

On the login screen if i click the openid redirect button i get the forwarding to the google account selection screen, i select my user then i am forwarded back to PDM and this is the error that is shown (same error in api/auth.log):

Login failed. Please try again (api error (status = 401: Failed to contact token endpoint: Request failed))

I set the authentication up exactly as on our PVE nodes. There is no proxy or anything set up in our network config.

 

[sterzy]

alright, this is indeed a bug, there was url decoding missing in the parts of the ui involved here. added that now, the patch for that can be found on the list here [1] and will hopefully be applied soon. thanks for the report everyone!

[1]: https://lore.proxmox.com/yew-devel/20260224135428.234018-1-s.sterz@proxmox.com/T/#u

 

[ewysong]

Thank you @sterzy!