Documentation confusion setting up Google OAuth2 in AMI tutor-v15.0.0

I spawned an instance of this AMI:

To test out OpenEDX as a corporate training system for our staff. Really love how fast and easy it was to get it up and running.


We use Google Workspace, so I want to enable Oauth2 for our staff, so they dont need to create “yet another” user ID for the training system.

I found what I thought were the correct instructions.

The first part, to setup OAuth2 credentials in our Workspace account went well. But when it says to edit the file lms.yml I ran into a problem: where is this file?

Elsewhere I learned to use this command to locate the config folder: tutor config printroot
Which gave me: /home/tutor/.local/share/tutor

I found what (by contents) looks like the file, but with a different name:

The next step is to ENABLE ENABLE_THIRD_PARTY_AUTH. But it is already enabled.

The next step is to edit the THIRD_PARTY_AUTH_BACKENDS list, if present. It is not, but the other variables mentioned are not present either.

The next step would be to add the Google secret. I stopped and aborted at this point to come here and verify I am doing this right.

It makes me profoundly nervous when what I see differs too much from what the guide predicted.

Thanks in advance!

OK. I made an AMI image backup of my machine so I can try and hack this out safely.

Ignoring the instructions that appear to be done already, I skipped to:

Add the Provider Configuration

Which has me create a DB entry with my Google OAuth2 info from the first section.

This made the “Login with Google” button appear! But when I try to use it, I get an error:

Error 401: invalid_client

So now I ask here, and seek everywhere, what I can learn about this error.

Thanks in advance.

Hey! Hope I can help you here.

You can find and add new plugins at tutor plugins printroot. You can also see all the enabled plugins by using the command tutor plugins list.

Since ENABLE_THIRD_PARTY_AUTH is already enabled, you don’t have to do anything on that. The next thing you are asked to do in the documentation which you have mentioned is to add the Google OAuth Client secret into the lms.env.yml file. Once you add that, all you have to do is, Add the Provider Configuration as you mentioned above.
Please note that the client_id you provide at **LMS URI/admin/third_party_auth/oauth2providerconfig/** should be the one that matches the client_secret you have provided in the lms.env.yml file.

To create a plugin, do the following:

  • Go to tutor plugins directory using cd $(tutor plugins printroot)
  • If it doesn’t exist, create a folder named tutor-plugins in the same place where your tutor folder is.
  • Then create a yml file as a plugin (Eg: nano oauthconfig.yml)
  • Paste the code below into the file by substituting the client_secret
  • Enable the plugin, save your config file and relaunch your openedx
    • tutor plugins enable oauthconfig
    • tutor config save
    • tutor local launch
name: oauthconfig
version: 0.0.1
    SOCIAL_AUTH_OAUTH_SECRETS: {"google-oauth2": "your client secret here"}

Thanks! Good to know I was heading down the right rabbit hole.

I saw older docs talking about making a plugin shell for the secret. The docs I’m following - which I think are for the latest version (15) are different.

The section " Add the Provider Configuration" had me put that same info into a db. They also mention you can put the secret here as well, instead of the yml file. Which I did because at that time I was not certain I had found the right ylm file. I see in your post you refer to it by the name I found, so I assume I did find the right one.

I’m starting to wonder if I have a problem with my domain. My test is for a client on domain A, but I am using my company DNS (domain B) - not the same root domain as my client. I am suspicious Google is balking at that.
So I plan to redo the DNS on the clients domain, see if it likes that.

Unless you can tell me I still have a configuration problem?

What is the issue that you are facing currently?

Thank you for your continued assistance, I appreciate it.

The Error I get trying to login is:

  • Error 401: invalid_client

I have screen clips of the button and the resulting error box. I shall try to attach them here for reference.

Nope. New users cannot upload files. Is there an Admin around?