http error 500 when trying to link accounts via oauth

[Mai-Lapyst]

Description

Steps to reproduce:

• Setup an OAuth2 authentication source for gitlab
  • Type: OAuth2
  • Name: gitlab
  • Type: GitLab
  • Set custom URLs
• Setup an OAUth Application in gitlab (tested via Instance-Wide Application)
  • Scopes: read_api, read_user, profile, email
  • Set as Trusted & Confidential
  • Add the url https://<your gitea domain>/user/oauth2/gitlab/callback as allowed redirect
• Try to login using the provider via the Login Screen of your instance.
  At first it will redirect correctly to gitlab, but when returning to gitea, the user is shown an error 500.

Log Output (Debug):

Mai 15 17:49:59 gitea gitea[55669]: 2022/05/15 17:49:59 Started GET /user/oauth2/gitlab for 127.0.0.1:46492
Mai 15 17:49:59 gitea gitea[55669]: 2022/05/15 17:49:59 Completed GET /user/oauth2/gitlab 307 Temporary Redirect in 48.576997ms
Mai 15 17:50:00 gitea gitea[55669]: 2022/05/15 17:50:00 Started GET /user/oauth2/gitlab/callback?code=REDACTED&state=REDACTED for 127.0.0.1:46494
Mai 15 17:50:00 gitea gitea[55669]: 2022/05/15 17:50:00 ...rs/web/auth/oauth.go:849:SignInOAuthCallback() [E] UserSignIn: could not find a matching session for this request
Mai 15 17:50:00 gitea gitea[55669]: 2022/05/15 17:50:00 ...s/context/context.go:204:HTML() [D] Template: status/500
Mai 15 17:50:00 gitea gitea[55669]: 2022/05/15 17:50:00 Completed GET /user/oauth2/gitlab/callback?code=REDACTED&state=REDACTED 500 Internal Server Error in 11.231758ms

Gitea Version

1.16.7, 1.16.8

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

linux

How are you running Gitea?

Via the offical binary: https://docs.gitea.io/en-us/install-from-binary/

Database

MySQL

[cdlm]

I'm getting http 500 as well with 1.16.8, just trying to log in with 2FA.
edit: that was on iOS, but I don't see the problem anymore…

[fgma]

I'm also having the same issue. Running gitea and authentik as oauth2 provider using latest official docker images. Currently this is gitea v1.17.0-rc1 and authentik 2022.6.3.

When trying to login I end up with error 500 in the frontend and the following log entry:

router: completed GET /user/oauth2/oauth2authentik/callback?code=[redacted] for 172.20.0.5:55112, 500 Internal Server Error in 6217.0ms @ auth/oauth.go:808(auth.SignInOAuthCallback)

[C-EO]

I get the same issue too.
Gitea Version : v.1.17.0-rc1

[bat553]

Same issue too.
Docker version of Gitea 1.16.8

Response: {"error":"invalid_grant","error_description":"Code not valid"}

[revolunet]

anyone resolved this ?

[lunny]

Is it random or always?

[C-EO]

I might have found a solution. But did you guys read the instructions when creating the oauths in the admin dashboard? Might work if you try to follow everything. Comment for more help.

…

On Monday, August 22, 2022, Lunny Xiao ***@***.***> wrote: Is it random or always? — Reply to this email directly, view it on GitHub <#19715 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AUO62OHWKSIHARKURRJQG3DV2LXLRANCNFSM5V7IVDKQ> . You are receiving this because you commented.Message ID: ***@***.***>

[C-EO]

It might just be random Although some guys might experience it always. On Saturday, August 27, 2022, Dennis Sebalemba ***@***.***> wrote:

…

I might have found a solution. But did you guys read the instructions when creating the oauths in the admin dashboard? Might work if you try to follow everything. Comment for more help. On Monday, August 22, 2022, Lunny Xiao ***@***.***> wrote: > Is it random or always? > > — > Reply to this email directly, view it on GitHub > <#19715 (comment) >, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ AUO62OHWKSIHARKURRJQG3DV2LXLRANCNFSM5V7IVDKQ> > . > You are receiving this because you commented.Message ID: > ***@***.***> > — Reply to this email directly, view it on GitHub <#19715 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AUO62OE3VHUX5OGPBRK34VLV3JUULANCNFSM5V7IVDKQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[Mai-Lapyst]

Tested it again with fresh installs of 1.16.7 - 1.16.9 & 1.17.1 and now all versions just do fine.

I guess it's really just either an random bug or some sort of miss-configuration.

One thing I found out though is that you need to name the source "gitlab" when trying to use gitlab as oauth provider, otherwise it wont work for some reason.

Also as a help for others: I noticed that some fields are not properly trimmed on save, but only when you edit it in the frontend. Save it again and the value is properly trimmed. (#21005)

[zeripath]

I think this is likely due to some timing issue in that the requests have been interleaved in some odd way.

I'm just not sure how we'd go about chasing this problem down more clearly as it appears strangely intermittent and random which makes creating a test case almost impossible.

[ewo2022]

Get a similar error when trying to connect our keycloak cluster with gitea. I can not even configure OAuth. I get directly an internal server error. Sadly without any meaningful error message.

Maybe the access token does not have the right authorities? Which authorities does gitea (OAuth OpenID Connect) expect?

Does gitea search for the URLs provided here: https://docs.gitea.io/en-us/oauth2-provider/
Keycloak provides /.well-known/openid-configuration but all other endpoints are localed somewhere else.

v: 1.17.2 running as a pod in k8s

UPDATE:
Sorry, now it running. My fault. Wrong configuration of a Networkpolicy. So make sure your gitea server is allowed to connect to your idm.

[sebw]

Ran into an error 500 while trying to configure gitea with authentik.

Turns out I made a mistake in the slug in the auto discovery URL.

Throwing an error 500 instead of say a 404 make you look for more serious problems.

[C-EO]

Tested it again with fresh installs of 1.16.7 - 1.16.9 & 1.17.1 and now all versions just do fine.

I guess it's really just either an random bug or some sort of miss-configuration.

One thing I found out though is that you need to name the source "gitlab" when trying to use gitlab as oauth provider, otherwise it wont work for some reason.

Also as a help for others: I noticed that some fields are not properly trimmed on save, but only when you edit it in the frontend. Save it again and the value is properly trimmed. (#21005)

You actually need to name your OAuth login the same as the url.

Scenarios:
If we could say gitlab begins with "g" then in the callback URL it should begin with "g":

example:
https://<your gitea domain>/user/oauth2/gitlab/callback

If it begins with "G" then the callback URL should have it in uppercase too:

example:
https://<your gitea domain>/user/oauth2/Gitlab/callback

[wxiaoguang]

In most cases, it's caused by this problem:

#23936