Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error while authenticating against OAuth provider #4450

Closed
3 tasks done
rubenelshof opened this issue Nov 24, 2024 · 8 comments
Closed
3 tasks done

Error while authenticating against OAuth provider #4450

rubenelshof opened this issue Nov 24, 2024 · 8 comments
Labels
bug Something isn't working forge/gitea gitea forge related

Comments

@rubenelshof
Copy link

rubenelshof commented Nov 24, 2024
edited
Loading

Component

server

Describe the bug

I am aware that I run both Gitea and Woodpecker at the edge by using nightly and next versions and that this can cause issues.

When trying to access Woodpecker I am send to the login page.
After trying to login I get the following error message: "Error while authenticating against OAuth provider"

I think this has to do with a recent PR being merged in Gitea about granular scopes.
The error messages Woodpecker returns are about a token not having at least one required scope.

In a attempt to fix the issue I had revoked Woodpecker as an "Authorized OAuth2 Application" in Gitea.
Re-adding does not fix the issue.

Steps to reproduce

  1. Set up Woodpecker server with MariaDB server as database and Gitea as a forge.
  2. Run docker compose.
  3. Try to get Woodpecker to connect to Gitea.

Expected behavior

No response

System Info

next-05e355915b

Additional context

Woodpecker logs:

{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:26:17Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:27:03Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:31:20Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:33:18Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:40:31Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:40:32Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:40:34Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:40:36Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:41:09Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:41:09Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:41:53Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:42:35Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:repository]","time":"2024-11-24T15:45:07Z","message":"failed to load branches"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:repository]","time":"2024-11-24T15:45:09Z","message":"get repo 'dionycodes/woodpecker-lftp' from forge"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:repository]","time":"2024-11-24T15:45:11Z","message":"failed to load branches"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:48:40Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:48:42Z","message":"cannot authenticate user"}

Validations

  • Read the docs.
  • Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
  • Checked that the bug isn't fixed in the next version already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]
@rubenelshof rubenelshof added the bug Something isn't working label Nov 24, 2024
@pat-s pat-s added the forge/gitea gitea forge related label Nov 24, 2024
@zc-devs
Copy link
Contributor

zc-devs commented Nov 24, 2024

I tested exactly this version yesterday and didn't have that error.
What is your Gitea version? What's your configs? Could you add Gitea and Woodpecker logs at debug level?

@rubenelshof
Copy link
Author

I tested exactly this version yesterday and didn't have that error. What is your Gitea version? What's your configs? Could you add Gitea and Woodpecker logs at debug level?

Which configs do you need for Gitea?

Gitea version: 1.23.0+dev-704-g633785a5f3
Gitea logs:

2024/11/25 00:48:04 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/authorize?client_id=2271a6c1-6c20-4b19-b78b-1be991f0f76c&redirect_uri=https%3A%2F%2Fci.example.com%2Fauthorize&response_type=code&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MzI0OTIzODQsImZvcmdlLWlkIjoiMSIsInR5cGUiOiJvYXV0aC1zdGF0ZSJ9.RKNscpD9S0wP3qqNJDDTMcIVe18uTSSAaGBRQmv1ctA for 172.20.0.15:46748, 303 See Other in 11.6ms @ auth/oauth2_provider.go:185(auth.AuthorizeOAuth)
2024/11/25 00:48:05 ...eb/routing/logger.go:102:func1() [I] router: completed POST /login/oauth/access_token for 172.20.0.15:46748, 200 OK in 170.2ms @ auth/oauth2_provider.go:462(auth.AccessTokenOAuth)
2024/11/25 00:48:05 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/version for 172.20.0.15:46748, 200 OK in 3.1ms @ misc/version.go:15(misc.Version)
2024/11/25 00:48:05 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/user for 172.20.0.15:46748, 403 Forbidden in 6.3ms @ v1/api.go:297(v1.Routes.func2.tokenRequiresScopes.22)

Woodpecker logs::

{"level":"debug","time":"2024-11-24T23:48:01Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/api/stream.go:70","message":"user feed: connection opened"}
{"level":"debug","ip":"","latency":1.812529,"method":"GET","path":"/api/forges","status":200,"time":"2024-11-24T23:48:01Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:01Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}
{"level":"debug","ip":"","latency":0.849317,"method":"GET","path":"/authorize","status":303,"time":"2024-11-24T23:48:04Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:04Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/api/login.go:123","message":"cannot authenticate user"}
{"level":"debug","ip":"","latency":365.068008,"method":"GET","path":"/authorize","status":303,"time":"2024-11-24T23:48:05Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}
{"level":"debug","ip":"","latency":0.02655,"method":"GET","path":"/login","status":200,"time":"2024-11-24T23:48:05Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}
{"level":"debug","ip":"","latency":0.125656,"method":"GET","path":"/web-config.js","status":200,"time":"2024-11-24T23:48:05Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}
{"level":"debug","ip":"","latency":0.02638,"method":"GET","path":"/assets/custom.css","status":200,"time":"2024-11-24T23:48:05Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}
{"level":"debug","ip":"","latency":0.023514,"method":"GET","path":"/assets/custom.js","status":200,"time":"2024-11-24T23:48:05Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}
{"level":"debug","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/api/stream.go:70","message":"user feed: connection opened"}
{"level":"debug","ip":"","latency":1.283995,"method":"GET","path":"/api/forges","status":200,"time":"2024-11-24T23:48:05Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}

Woodpecker environment variables:

      - WOODPECKER_OPEN=true
      - WOODPECKER_HOST=https://ci.example.com
      - WOODPECKER_GITEA=true
      - WOODPECKER_GITEA_URL=https://git.example.com
      - WOODPECKER_GITEA_CLIENT=client_id
      - WOODPECKER_GITEA_SECRET=secret
      - WOODPECKER_ADMIN=dionysussg
      - WOODPECKER_AUTHENTICATE_PUBLIC_REPOS=true
      - WOODPECKER_PLUGINS_PRIVILEGED=woodpeckerci/plugin-docker-buildx
      - WOODPECKER_DATABASE_DRIVER=mysql
      - WOODPECKER_DATABASE_DATASOURCE=woodpecker:password@tcp(database_mariadb:3306)/woodpecker?parseTime=true
      - WOODPECKER_LOG_LEVEL=debug

@zc-devs
Copy link
Contributor

zc-devs commented Nov 25, 2024

Gitea version: 1.23.0+dev-704-g633785a5f3

Did it work on 1.22? I have 1.22.

@rubenelshof
Copy link
Author

rubenelshof commented Nov 25, 2024
edited
Loading

Gitea version: 1.23.0+dev-704-g633785a5f3

Did it work on 1.22? I have 1.22.

Yes. It has been working until yesterday.
Unfortunately I dont think I can actually check and verify by going back to 1.22.
Additionally Gitea doesn't create Docker images per git commit so I cant go back to a version from a few days ago to check.

Below a screenshot with the screen I get when I want to authorize Woodpecker. It does not contain a list with scopes.
2024-11-25 01_06_32-Gitea_ Git with a cup of tea

@rubenelshof
Copy link
Author

rubenelshof commented Nov 25, 2024
edited
Loading

Gitea version: 1.23.0+dev-704-g633785a5f3

Did it work on 1.22? I have 1.22.

Alright. I have found a way to check if a previous nightly works.
I can confirm that version 1.23.0+dev-694-ga175f9805c is working and has no problems authorizing Woodpecker to Gitea.
It can now also access all the repo's and build stuff using repo's stored in Gitea.

This version is based on this commit go-gitea/gitea@a175f98 which is the last commit before the PR I think is causing the issue.

Hope this helps.

@wxiaoguang
Copy link

I am also using woodpecker, and I also encountered the problem.

Will be fixed by Improve oauth2 scope token handling go-gitea/gitea#32633

Feel free to try my fix.

@rubenelshof
Copy link
Author

I am also using woodpecker, and I also encountered the problem.

Will be fixed by Improve oauth2 scope token handling go-gitea/gitea#32633

Feel free to try my fix.

I just tried your fix and it works.

@rubenelshof
Copy link
Author

With go-gitea/gitea#32633 being merged this issue is now resolved I think.
Thank you @wxiaoguang and @zc-devs for the help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working forge/gitea gitea forge related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wxiaoguang @pat-s @rubenelshof @zc-devs