woodpecker-ci/woodpecker

Error while authenticating against OAuth provider

Closed this issue · 8 comments

rubenelshof commented

Component

server

Describe the bug

I am aware that I run both Gitea and Woodpecker at the edge by using nightly and next versions and that this can cause issues.

When trying to access Woodpecker I am send to the login page.
After trying to login I get the following error message: "Error while authenticating against OAuth provider"

I think this has to do with a recent PR being merged in Gitea about granular scopes.
The error messages Woodpecker returns are about a token not having at least one required scope.

In a attempt to fix the issue I had revoked Woodpecker as an "Authorized OAuth2 Application" in Gitea.
Re-adding does not fix the issue.

Steps to reproduce

  1. Set up Woodpecker server with MariaDB server as database and Gitea as a forge.
  2. Run docker compose.
  3. Try to get Woodpecker to connect to Gitea.

Expected behavior

No response

System Info

next-05e355915b

Additional context

Woodpecker logs:

{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:26:17Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:27:03Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:31:20Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:33:18Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:40:31Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:40:32Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:40:34Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:40:36Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:41:09Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:41:09Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:41:53Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:42:35Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:repository]","time":"2024-11-24T15:45:07Z","message":"failed to load branches"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:repository]","time":"2024-11-24T15:45:09Z","message":"get repo 'dionycodes/woodpecker-lftp' from forge"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:repository]","time":"2024-11-24T15:45:11Z","message":"failed to load branches"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:48:40Z","message":"cannot authenticate user"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T15:48:42Z","message":"cannot authenticate user"}

Validations

  • Read the docs.
  • Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
  • Checked that the bug isn't fixed in the next version already [https://woodpecker-ci.org/faq#which-version-of-woodpecker-should-i-use]
zc-devs commented

I tested exactly this version yesterday and didn't have that error.
What is your Gitea version? What's your configs? Could you add Gitea and Woodpecker logs at debug level?

rubenelshof commented

I tested exactly this version yesterday and didn't have that error. What is your Gitea version? What's your configs? Could you add Gitea and Woodpecker logs at debug level?

Which configs do you need for Gitea?

Gitea version: 1.23.0+dev-704-g633785a5f3
Gitea logs:

2024/11/25 00:48:04 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/authorize?client_id=2271a6c1-6c20-4b19-b78b-1be991f0f76c&redirect_uri=https%3A%2F%2Fci.example.com%2Fauthorize&response_type=code&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MzI0OTIzODQsImZvcmdlLWlkIjoiMSIsInR5cGUiOiJvYXV0aC1zdGF0ZSJ9.RKNscpD9S0wP3qqNJDDTMcIVe18uTSSAaGBRQmv1ctA for 172.20.0.15:46748, 303 See Other in 11.6ms @ auth/oauth2_provider.go:185(auth.AuthorizeOAuth)
2024/11/25 00:48:05 ...eb/routing/logger.go:102:func1() [I] router: completed POST /login/oauth/access_token for 172.20.0.15:46748, 200 OK in 170.2ms @ auth/oauth2_provider.go:462(auth.AccessTokenOAuth)
2024/11/25 00:48:05 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/version for 172.20.0.15:46748, 200 OK in 3.1ms @ misc/version.go:15(misc.Version)
2024/11/25 00:48:05 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/user for 172.20.0.15:46748, 403 Forbidden in 6.3ms @ v1/api.go:297(v1.Routes.func2.tokenRequiresScopes.22)

Woodpecker logs::

{"level":"debug","time":"2024-11-24T23:48:01Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/api/stream.go:70","message":"user feed: connection opened"}
{"level":"debug","ip":"","latency":1.812529,"method":"GET","path":"/api/forges","status":200,"time":"2024-11-24T23:48:01Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:01Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}
{"level":"debug","ip":"","latency":0.849317,"method":"GET","path":"/authorize","status":303,"time":"2024-11-24T23:48:04Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:04Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}
{"level":"error","error":"token does not have at least one of required scope(s): [read:user]","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/api/login.go:123","message":"cannot authenticate user"}
{"level":"debug","ip":"","latency":365.068008,"method":"GET","path":"/authorize","status":303,"time":"2024-11-24T23:48:05Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}
{"level":"debug","ip":"","latency":0.02655,"method":"GET","path":"/login","status":200,"time":"2024-11-24T23:48:05Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}
{"level":"debug","ip":"","latency":0.125656,"method":"GET","path":"/web-config.js","status":200,"time":"2024-11-24T23:48:05Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}
{"level":"debug","ip":"","latency":0.02638,"method":"GET","path":"/assets/custom.css","status":200,"time":"2024-11-24T23:48:05Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}
{"level":"debug","ip":"","latency":0.023514,"method":"GET","path":"/assets/custom.js","status":200,"time":"2024-11-24T23:48:05Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}
{"level":"debug","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/api/stream.go:70","message":"user feed: connection opened"}
{"level":"debug","ip":"","latency":1.283995,"method":"GET","path":"/api/forges","status":200,"time":"2024-11-24T23:48:05Z","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","time":"2024-11-24T23:48:05Z","caller":"/woodpecker/src/github.com/woodpecker-ci/woodpecker/server/router/middleware/logger.go:59"}

Woodpecker environment variables:

      - WOODPECKER_OPEN=true
      - WOODPECKER_HOST=https://ci.example.com
      - WOODPECKER_GITEA=true
      - WOODPECKER_GITEA_URL=https://git.example.com
      - WOODPECKER_GITEA_CLIENT=client_id
      - WOODPECKER_GITEA_SECRET=secret
      - WOODPECKER_ADMIN=dionysussg
      - WOODPECKER_AUTHENTICATE_PUBLIC_REPOS=true
      - WOODPECKER_PLUGINS_PRIVILEGED=woodpeckerci/plugin-docker-buildx
      - WOODPECKER_DATABASE_DRIVER=mysql
      - WOODPECKER_DATABASE_DATASOURCE=woodpecker:password@tcp(database_mariadb:3306)/woodpecker?parseTime=true
      - WOODPECKER_LOG_LEVEL=debug
  • 👍1
zc-devs commented

Gitea version: 1.23.0+dev-704-g633785a5f3

Did it work on 1.22? I have 1.22.

rubenelshof commented

Gitea version: 1.23.0+dev-704-g633785a5f3

Did it work on 1.22? I have 1.22.

Yes. It has been working until yesterday.
Unfortunately I dont think I can actually check and verify by going back to 1.22.
Additionally Gitea doesn't create Docker images per git commit so I cant go back to a version from a few days ago to check.

Below a screenshot with the screen I get when I want to authorize Woodpecker. It does not contain a list with scopes.
2024-11-25 01_06_32-Gitea_ Git with a cup of tea

rubenelshof commented

Gitea version: 1.23.0+dev-704-g633785a5f3

Did it work on 1.22? I have 1.22.

Alright. I have found a way to check if a previous nightly works.
I can confirm that version 1.23.0+dev-694-ga175f9805c is working and has no problems authorizing Woodpecker to Gitea.
It can now also access all the repo's and build stuff using repo's stored in Gitea.

This version is based on this commit go-gitea/gitea@a175f98 which is the last commit before the PR I think is causing the issue.

Hope this helps.

  • 👍1
wxiaoguang commented

I am also using woodpecker, and I also encountered the problem.

Will be fixed by Improve oauth2 scope token handling go-gitea/gitea#32633

Feel free to try my fix.

  • ❤️1
rubenelshof commented

I am also using woodpecker, and I also encountered the problem.

Will be fixed by Improve oauth2 scope token handling go-gitea/gitea#32633

Feel free to try my fix.

I just tried your fix and it works.

rubenelshof commented

With go-gitea/gitea#32633 being merged this issue is now resolved I think.
Thank you @wxiaoguang and @zc-devs for the help.