Privacyidea3 Push Troubleshooting

Issue opened. I also have made a pull request which added push token support to the FreeRADIUS plugin in case it hadn’t been worked on yet. I followed a similar process to how Twilio’s OneTouch push token functions.

@cornelinux, I was able to get a hold of an Android unit for testing. I was able to set up the Push functionality, and enroll a token. However, when I attempt to authenticate, it seems like the request is missing some credential information. Using the API test, I receive this error:

detail": null, “version”: “privacyIDEA 3.0”, “result”: {“status”: false, “error”: {“message”: “(‘Unexpected credentials type’, None, ‘Expected’, ‘service_account’)”, “code”: -500}}

The same error is posted in the audit. Interestingly, the column that lists the token serial is blank.

Am I missing something?

Edit: In Debug mode, this jumped out at me:

[privacyidea.api.lib.utils:219] Can not get param: No JSON object could be decoded

I’ve verified the JSON file is where I specified in the config. I have tested with the following ownership:


You are missing to provide more details about “when I attempt to authenticate”.

Like: What are you actually doing… What are your settings…, what is your otppin setting…
Do you fail on entereing the PIN or later in the process?
You are issuing an API request? Which one?

At this point, I’m simply testing with the API test in the HowTo. There is a policy in place that sets the PIN to my LDAP userstore and the debug logs show that part of the authentication is successful. It’s when it gets to the Push portion where it fails with the error previously posted.

When I say API test, I mean entering the validate/check URL in a browser with my username and PIN.

This sounds strange.

You should check different things:

  • Are there more than one token assigned to the user?
  • Is the PUSH token completely enrolled, or was the enrollment not completed
  • Is there anything interesting in the log file privacyidea.log.

This is just a test instance, so there is only one user and one token enrolled, the push one. I did enroll a TOTP token initially just to confirm that everything worked as it does in my 2.23 instance. Once I confirmed, I unassigned the token and deleted it.

I then enrolled the push token, and it seemed to enroll correctly. All indications on the screen said so, and the token entry in the WEBGUI states it’s status is enrolled.

The only thing interesting in the log file with debug mode on was the line:

[privacyidea.api.lib.utils:219] Can not get param: No JSON object could be decoded

I thought maybe I had not put the file location in correctly in the SMS Gateway config, but when I renamed the file, the error returned change to something to the effect of “could not locate JSON file”.

I also changed file ownership, setting it to root:root and privacyidea:privacyidea, with no change.

At this point, my best guess is a problem with the format of how the JSON file is written.

“project_info”: {
“project_number”: “12345”,
“firebase_url”: “”,
“project_id”: “privacyideatest-abc123”,
“storage_bucket”: “
“client”: [
“client_info”: {
“mobilesdk_app_id”: “1:12345:android:abc123cde456”,
“android_client_info”: {
“package_name”: “com.test.privacyidea”
“oauth_client”: [
“client_id”: “”,
“client_type”: 3
“api_key”: [
“current_key”: “adf;akdjf;lakdsj;flakdjf;ladskhgf;klgahfgl;ashdgf”
“services”: {
“appinvite_service”: {
“other_platform_oauth_client”: [
“client_id”: “”,
“client_type”: 3
“configuration_version”: “1”

You are probably issueing your “test API” call in a wrong way.
And you did not take a look in the log file.
I am sorry, I can not help.

I did take a look in the log file, I posted the only entry that jumped out at me in both my posts. As for the test API call, I’m using it verbatim from the how to doc. I open a browser and point to:

https://server ip/validate/check?user=username&pass=pinfromuserstore

" You can now test you setup by

  1. Enroll a new Push token and assign it to a user. Give the Push token a PIN.
  2. In your browser you can simply issue an authentication request using the API https://your.privacyidea.server/validate/check?user=testuser&pass=yourpin
  3. You should receive a notification on your enrolled smartphone, which you can confirm."

In addition to the entry from the log file about the PI server not being able to decode the JSON object, the webpage had this error:

“result”: {“status”: false, “error”: {“message”: “(‘Unexpected credentials type’, None, ‘Expected’, ‘service_account’)”, “code”: -500}},

Right. You did everything right. But still the information you provide is not enough to get any idea here.
This error you report, was never seen before. The text “Unexpected credentials type” is not part of our code.
So the problem could lie everywhere. The webserver you are using, the database, the way you installed privacyidea, which browser you are using…

I am debugging your problem although this is no support channel!
The text “Unexpected credentials type” originates from oauth2client/service_account.pyc,
So this looks like as if there is something wrong with your firebase setup. What? How should I know!

I assume the communication is correct to the firebase service. You could verify this by sniffing/running a tcpdump.

So probably this occurs from your Firebase setup. Or maybe from the type you set up your google account… Take a look there…
A more detailed look at the log file (not only one line or error message) could have revealed this.

Some ideas to poke in the dark:

Did you create the service account in the firebase console?
Maybe you mixed up the two json files? One needs to be copied to the privacyIDEA server, from the other one you need to extract the information.
Maybe you simply have a copy and paste error.

That’s all extremely helpful, thank you. I just wanted to make sure it wasn’t a bug or an obvious error that you had seen before. I’ll take your notes and dive further, thanks again for everything. If I figure it out, I’ll report back.

@bnort81 thanks for this experience! :wink:
I think this shows that we need to change the configuration of the firebase service. I see if we can put an easier configuration in privacyIDEA 3.0.1.

Your comment about the service account got me pointed in the right direction. The problem is I have a tendency to read instructions too fast and missed a key part. I thought I had to download the google-services.json and point to that in the SMS Gateway config. When I went back to the directions, I saw the part about the service account, and used that JSON file instead. As soon as I did that, I received push notifications.

It’s not working right with the PAM Python module, but that seems more like a problem with PAM or the client side configuration.

Thanks for your help with this, the actual push portion is working great now.

Is still maintained? It looks like maybe it does not support this type of authentication as is. /var/log/messages on the client shows the following error:

“sshd: Traceback (most recent call last):#012 File “/usr/lib64/security/”, line 329, in pam_sm_authenticate#012 rval = Auth.authenticate(pamh.authtok)#012 File “/usr/lib64/security/”, line 196, in authenticate#012 attributes)#012 File “/usr/lib64/security/”, line 211, in challenge_response#012 response = self.pamh.conversation(pam_message)#012PamException: Conversation error”

I opened an issue on the privacyidea_pam Github page.

For those interested, the PrivacyIdea/PAM_Python method does not support Push notifications yet. I received this response to my issue report:

Thanks for the report.
The privacyIDEA-PAM module is not yet ready for the push token.
We need to poll the server to check if the push authentication was successful.

Hi Cornelinux,
I’m new to privacyIDEA and have installed version 3 and am trying to get the push to work. I have looked at your HowTo for push and the instructions ask for a policy with firebase config

My policy config does not seem to have the same options. I do not know what im doing wrong and appreciate any input you can give. Attaching my policy screen. Much thanks in advance

I see the options now.