OAuth2 access returns 500 Whoops, something went wrong on our end

Summary

The OAuth2 provider verifies the user identity and returns the information GitLab returns an error 500 without directions on how to proceed.

Steps to reproduce

On the OAuth2 Provider's side:

Register gitlab as a service provider at the OAuth2 provider

• inform the correct callback url (https://gitlab.DOMAIN/users/auth/oauth2_generic/callback)
• gather the ClientId and ClientSecret information I am using WSO2 IS 5.3 and I can use it correctly with other applications

On the GitLab Side

Edit the gitlab.rb file (and run reconfigure after)

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
  {
    'name' => 'oauth2_generic',
    'app_id' => '<ClientID>',
    'app_secret' => '<ClientSecret>',
    'scope' => 'openid',
    'args' => {
      client_options: {
        'site' => 'https://<OAUTH2_SERVER_URL>:<OAUTH2_SERVER_PORT>', # including port if necessary
        'authorize_url' => '/oauth2/authorize',
        'user_info_url' => '/oauth2/userinfo',
        'token_url' => '/oauth2/token'
      },
     user_response_structure: {
        id_path: ['sub'], # i.e. if attributes are returned in JsonAPI format (in a ‘user’ node nested under a ‘data’ node)
        attributes: { nickname: 'username', email: 'email' } # if the nickname attribute of a user is called ‘username’
     },
      # optionally, you can add the following two lines to "white label" the display name
      # of this strategy (appears in urls and Gitlab login buttons) 
      # If you do this, you must also replace oauth2_generic, everywhere it appears above, with the new name.
      name: 'oauth2_generic',
      strategy_class: "OmniAuth::Strategies::OAuth2Generic" # Devise-specific config option Gitlab uses to find renamed strategy
    }
  }  
]  

Obs.I made sure the username, email and the sub are mapped to the returned claims provided by the OAuth2 Provider.

Finally, try to log into GitLab using OAuth (I am using accounts whose email address or username do not exist on GitLab)

What is the current bug behavior?

• I access the GitLab login page
• I choose "Sign in with OAuth2 Generic"
• I interact with OAuth2 Provider
  • I provide username/password
  • I confirm that I allow the sharing of user information with gitlab
• I am redirected to gitlab
• GitLab presents 500 Whoops, something went wrong on our end

What is the expected correct behavior?

• I access the GitLab login page
• I choose "Sign in with OAuth2 Generic"
• I interact with OAuth2 Provider
  • I provide username/password
  • I confirm that I allow the sharing of user information with gitlab
• I am redirected to gitlab
• The process ends with the creation of the new user

Relevant logs and/or screenshots

I've searched for logs containing the name of the user I am trying to connect with:

• gitlab-workhorse/current:

  672:2018-03-09_00:12:40.35195 gitlab.<DOMAIN> @ - - [2018-03-09 00:12:40.295160928 +0000 UTC m=+201722.610560644] "GET /users/auth/oauth2_generic/callback?code=154a3b7b-ac89-3831-b4d7-d8f51495c491&state=2fffb828bf0a4e63789dac44b257922f7c73650a3d186ba4 HTTP/1.1" 500 2902 "https://<OAUTH2_SERVER_URL>:<OAUTH2_SERVER_PORT>/authenticationendpoint/oauth2_authz.do?loggedInUser=wso2nick&application=gitlab.<DOMAIN>&scope=&sessionDataKeyConsent=7ddee032-2fd3-44fb-975a-e33ac6939969&spQueryParams=client_id%<ID>%26redirect_uri%3Dhttps%253A%252F%252Fgitlab.<DOMAIN>%252Fusers%252Fauth%252Foauth2_generic%252Fcallback%26response_type%3Dcode%26state%3D2fffb828bf0a4e63789dac44b257922f7c73650a3d186ba4" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0" 0.055789

Output of checks

(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)

Results of GitLab environment info

Expand for output related to GitLab environment info

System information
System:
Current User:   git
Using RVM:      no
Ruby Version:   2.3.6p384
Gem Version:    2.6.13
Bundler Version:1.13.7
Rake Version:   12.3.0
Redis Version:  3.2.11
Git Version:    2.14.3
Sidekiq Version:5.0.5
Go Version:     unknown

GitLab information
Version:        10.4.3
Revision:       183dd5d
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     postgresql
URL:            https://gitlab.<DOMAIN>
HTTP Clone URL: https://gitlab.<DOMAIN>/some-group/some-project.git
SSH Clone URL:  git@gitlab.<DOMAIN>:some-group/some-project.git
Using LDAP:     no
Using Omniauth: yes
Omniauth Providers: oauth2_generic

GitLab Shell
Version:        5.11.0
Repository storage paths:
- default:      /var/opt/gitlab/git-data/repositories
Hooks:          /opt/gitlab/embedded/service/gitlab-shell/hooks
Git:            /opt/gitlab/embedded/bin/git


</pre>
</details>

#### Results of GitLab application Check

<details>
<summary>Expand for output related to the GitLab application check</summary>
<pre>

Checking GitLab Shell ...

GitLab Shell version >= 5.11.0 ? ... OK (5.11.0)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:root, or git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ... 
3/6 ... ok
3/7 ... ok
14/9 ... ok
7/11 ... ok
22/12 ... ok
19/13 ... ok
18/14 ... ok
21/15 ... ok
24/16 ... ok
23/17 ... ok
23/18 ... ok
21/19 ... ok
23/20 ... ok
23/21 ... ok
23/22 ... ok
24/23 ... ok
25/24 ... ok
23/25 ... ok
23/26 ... ok
26/28 ... ok
26/41 ... ok
26/47 ... ok
26/48 ... ok
26/49 ... ok
26/50 ... ok
26/51 ... ok
26/52 ... ok
26/53 ... ok
26/54 ... ok
26/55 ... ok
26/56 ... ok
26/57 ... ok
26/58 ... ok
26/59 ... ok
25/60 ... ok
26/61 ... ok
3/62 ... ok
26/63 ... ok
26/64 ... ok
26/65 ... ok
26/66 ... ok
26/67 ... ok
25/68 ... ok
27/69 ... ok
35/70 ... ok
27/71 ... ok
21/72 ... ok
19/73 ... ok
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK

Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Sidekiq ...

Running? ... yes
Number of Sidekiq processes ... 1

Checking Sidekiq ... Finished

Reply by email is disabled in config/gitlab.yml
Checking LDAP ...

LDAP is disabled in config/gitlab.yml

Checking LDAP ... Finished

Checking GitLab ...

Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ... 
3/6 ... yes
3/7 ... yes
14/9 ... yes
7/11 ... yes
22/12 ... yes
19/13 ... yes
18/14 ... yes
21/15 ... yes
24/16 ... yes
23/17 ... yes
23/18 ... yes
21/19 ... yes
23/20 ... yes
23/21 ... yes
23/22 ... yes
24/23 ... yes
25/24 ... yes
23/25 ... yes
23/26 ... yes
26/28 ... yes
26/41 ... yes
26/47 ... yes
26/48 ... yes
26/49 ... yes
26/50 ... yes
26/51 ... yes
26/52 ... yes
26/53 ... yes
26/54 ... yes
26/55 ... yes
26/56 ... yes
26/57 ... yes
26/58 ... yes
26/59 ... yes
25/60 ... yes
26/61 ... yes
3/62 ... yes
26/63 ... yes
26/64 ... yes
26/65 ... yes
26/66 ... yes
26/67 ... yes
25/68 ... yes
27/69 ... yes
35/70 ... yes
27/71 ... yes
21/72 ... yes
19/73 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.3.6)
Git version >= 2.7.3 ? ... yes (2.14.3)
Git user has default SSH configuration? ... yes
Active users: ... 14

Checking GitLab ... Finished



</pre>
</details>

### Possible fixes

(If you can, link to the line of code that might be responsible for the problem)