When reviewing the connector reconciliation, it will often fail after 67 seconds.

The likely error is shown as follows:

You certainly need to create the client within the Google API Developers. The client secret and the client ID will be presented once you've logged into the https://console.developers.google.com/apis/credentials . Also if you haven't already, one of the requirements is to provide the granting access to the client API within the google admin as shown within the screenshot

The other requirement is to ensure that the authorized access has been assigning the x.apps.googleusercontent.com client as shown within the screenshot also. The full URLs that could be assigned is as follows:
https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.notifications,https://www.googleapis.com/auth/admin.directory.orgunit,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.user.alias,https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/admin.directory.userschema

Its likely that you've already done all of the above though invalid_grant of the token would imply that google is not authenticating the request. The access token is the OAuth to provide authorized access to a protected resource from the OAuth Authorization Server. These access tokens are short-lived and are often renewed. The refresh token is the token that is used to obtain a new access token.

In OpenIDM terms, the refresh token is stored within the database and it will then use the access tokens to access the google APIs. This occurred when I was attempting to upgrade the connector though by using the same provisioner-* file.

The best approach is to deploy the OOTB provisioner file into the OpenIDM conf directory. Once that has been performed, enter the 'clientSecret' and the 'clientId' into the provisioner.openicf-google.json file. Note that the enabled is set to false at the beginning. Also note that the refrestToken remains as null. This would be populated later once you authenticate using the google app super user. After that, start up OpenIDM. and ensure it starts OK. After that, log in as the admin and click 'connectors'. Then click the connector from disabled to enabled and save. Once that occurs, OpenIDM will then redirect you to the OAuth authorization. Click accept. You will be able to see the provisioner.openicf-google.json file the refreshToken within the configurationProperties section though encrypted.

You should then be able to perform reconcilation once the source and target mapping is complete

Please comment below if this was successful or you don't experience the same outcome

About the author