Troubleshooting Google Workspace setup

Resolutions for common errors during Service Account and OAuth setup of the Extension Auditor Google Workspace integration.

If you ran into an error while connecting Google Workspace, find the symptom below and follow the resolution. If your symptom isn't listed, contact us at [email protected] with the exact error message and a screenshot.

Service Account method

Access denied or 403 in the connection test

The wizard says: "Access denied. Please verify that domain-wide delegation is configured correctly in Google Admin Console with the correct Client ID and all required scopes."

Google rejected the impersonation request. Almost always one of:

  1. Wrong Client ID. Re-check the value you pasted in https://admin.google.com/ac/owl/domainwidedelegation against the value shown in the Extension Auditor setup wizard. The Client ID is a 21-digit numeric string.
  2. Missing scope(s). All nine scopes from the scopes table must be authorised. Google does not report which one is missing — it just rejects the call. Re-paste the complete comma-separated list using the wizard's Copy button.
  3. Admin email lacks privileges. The impersonated admin must have permission to read Chrome browsers, Chrome management reports, and org units. The simplest fix is to use a Workspace user that has the Super Admin role; alternatively, build a custom admin role with the privileges in the prerequisites.
  4. Delegation hasn't propagated yet. Newly-added delegation entries can take a couple of minutes to take effect. Wait 60–120 seconds and click Test Connection again.

Authentication failed or 401 in the connection test

The wizard says: "Authentication failed. The admin email may be incorrect or the service account may not have delegation enabled."

The token exchange itself failed:

  1. Admin email typo. Make sure the email exists in your Workspace and is spelled exactly. Don't include trailing whitespace.
  2. Account suspended. If the admin account is suspended or deleted, Google won't issue a token. Use a different admin email (or restore the account) and re-test.
  3. 2-Step Verification policy interfering. Domain-wide delegation does not require 2SV codes from the impersonated user (it's a server-to-server flow), but some misconfigured policies can interfere — if 1, 2, and 3 above all check out, try a different Workspace admin to confirm.

Scope mismatch delegation not configured

The wizard says: "Domain-wide delegation is not configured. Please add the Client ID and scopes in Google Admin Console → Security → API controls → Domain-wide delegation."

Google returned unauthorized_client. This means no delegation entry at all matches our Client ID — typically because:

  • The delegation entry was added to a different Workspace tenant. Confirm you're signed in to the same Workspace that owns the domain you entered in the wizard.
  • The entry was added but later removed.
  • A typo in the Client ID prevented the entry from ever matching.

Open https://admin.google.com/ac/owl/domainwidedelegation, find the row whose Client ID matches the value in the Extension Auditor wizard, and confirm it lists all nine scopes. Re-add it if necessary, then test again.

Service Account Not Configured banner

The wizard says: "The service account has not been set up on the server yet. Please contact support."

This means the Extension Auditor instance you're using is missing the GOOGLE_SERVICE_ACCOUNT_CLIENT_ID environment variable. On the production extensionauditor.com tenant this is always configured — if you're seeing it there, contact support. If you're running a self-hosted build, configure the service account credentials and restart the worker and web app.

OAuth method

You were redirected back to the integrations page with ?error=missing_scopes. This happens when one or more scopes were unticked on Google's consent screen. Extension Auditor verifies that all nine requested scopes are granted and refuses to save the integration if any are missing.

Click Connect with Google OAuth again and approve the full scope list. Google may remember your previous grants — if it skips the consent screen, revoke the existing grant at https://myaccount.google.com/permissions (find "Extension Auditor"), then retry.

OAuth error — invalid state or invalid state format

You were redirected back with ?error=invalid_state or ?error=invalid_state_format. The CSRF state cookie didn't match what came back from Google. Causes and fixes:

  • You started the OAuth flow in one browser and finished in another. Re-run the flow in a single browser session.
  • You waited more than 10 minutes between clicking Connect and finishing the consent flow. The state cookie expires after 10 minutes. Start over.
  • Cookies are blocked or being stripped by an extension/proxy. Disable extensions that strip cookies or use an incognito window for the setup flow.

OAuth error — session expired

You were redirected back with ?error=session_expired. Your Extension Auditor session expired between starting the OAuth flow and the redirect back. Sign in again, then retry the connection from Settings → Integrations.

OAuth error — token exchange failed

You were redirected back with ?error=token_exchange_failed. Google refused to exchange the authorisation code for tokens. This is rare; usually it means the OAuth code already expired (consent flows must be completed within a few minutes) or there's a misconfiguration in the OAuth client. Retry the flow; if the error persists, contact support.

OAuth error — access denied by user

You were redirected back with ?error=oauth_access_denied. You clicked Cancel on Google's consent screen, or your Workspace admin policy blocked the grant. Click Connect with Google OAuth again and approve, or work with the admin who controls "third-party app access" in https://admin.google.com/ac/owl/list?tab=configuredApps to allow Extension Auditor.

OAuth error — admin policy enforced

You were redirected back with ?error=oauth_admin_policy_enforced. Your Workspace's "App access control" policy blocks new OAuth apps from being granted access. An administrator must explicitly trust Extension Auditor in Admin Console → Security → API controls → App access control → Manage Third-Party App Access, or use the Service Account method instead — which is governed by domain-wide delegation rather than app access control.

OAuth error — already connected

You were redirected back with ?error=already_connected. A Google Workspace integration already exists on this team workspace. Disconnect the existing one from Settings → Integrations → Google Workspace → Disconnect before connecting a new one.

Existing OAuth integration suddenly stops syncing

If your OAuth integration was working and now reports authentication errors on every sync, Google has revoked the refresh token. Common causes:

  • The signing admin's password was reset.
  • The signing admin lost the Super Admin role or had their account suspended.
  • An admin revoked the grant from https://myaccount.google.com/permissions or from Admin Console → Security → API controls → Manage Third-Party App Access.
  • A Workspace policy change forced re-consent for OAuth apps.

The fix is the same in every case: disconnect the integration and reconnect as a Super Admin. To avoid this happening again, consider migrating to the Service Account method, which doesn't depend on any individual admin's account state.

After connecting — first sync fails

If setup succeeded but the first sync fails (the integration card shows a red "Failed" badge), the most common causes are:

  • Chrome Browser Cloud Management isn't enabled. Enrol your browsers via Google's CBCM setup guide and click Sync Now.
  • No managed browsers exist yet. The integration will succeed but report 0 browsers / 0 extensions until at least one Chrome browser is enrolled.
  • The impersonated admin (Service Account method) lacks one of the read scopes. Re-check the prerequisites and verify the role's privileges.

The exact error returned by Google is shown under Sync Status on the integration card. If it's not obvious from the message above, send it to [email protected].