Regression: External jenkins oauth to gitlab broken suddenly since today: insufficient scope: "scope":"read_user api read_api"

Summary

We authenticate our external Jenkins to use against gitlab.com users. This suddenly stopped working first noticed today (2020-08-27).

Behavior seen: 1.) Every user suddenly gets question about ' Authorize XX application to use your account?' again.

2.) Even doing the authorization again login does not work

3.) Jenkins error log clearly shows Caused: org.gitlab.api.GitlabAPIException: {"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"read_user api read_api"}

4.) Application entry defined in gitlab.com for jenkins has scope=api (only api) unchanged for a long time.

5.) Apparently since yesterday that scope is no longer sufficient (cause unknown)

6.) Editing application entry to read "read_user,api,read_api" then revoking old authorization and authorizing again does not help

7.) On top reauthorizing shows another problem 7.a) Dialog about requested authorizations only talks about first 'read_user' scope 7.b) The granted authorization for the application entry only shows 'read_user' not all 3 scopes defined 7.c) Jenkins error on attempted login now shows: Caused: org.gitlab.api.GitlabAPIException: {"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"api read_api"}

That seems to indicate maybe 2nd bug in authorizing application workflow having >1 scope at the same time.

Steps to reproduce

As that seems to be a regression on gitlab.com side (as far as it looks like to us) no more info than above is available.

What is the current bug behavior?

Existing workflow broken Suggested fix (by error message) to increase scopes also broken.

What is the expected correct behavior?

Either: a.) oauth login integration either works with only api scope as before or b.) Or alternatively clear notification if requirements have changed.

Also application entry with 3 scopes and user authorization should authorize this application for the 3 scopes (not just the first ones)

Relevant logs and/or screenshots

Screenshot of initial jenkins error showing existing api-scope no longer being sufficient gitlab.com-bug-jenkins-log-oauth-scope

Us modifying application entry to match the apparently not required scopes (read_user,api,read_api) gitlab.com-bug-modified-Your-application-entry

Trying to authorize user with the modified scopes. Here you can see it only talking about read_user and is apparently missing (api,read_api) gitlab.com-bug-modified-Authorize-missing-2-scopes

Authorization done showing only read_user scope was granted => Missing api & read_api gitlab.com-bug-modified-Authorization-done-missing-2-scopes

Output of checks

This bug happens on GitLab.com

Possible fixes

This is about 2 problems a.) Apparent regression b.) Editing scope definition.

Item b.) was our workaround to solve problem a.) but as explained here trying to do b.) (editing scopes) also failed.

So it is possible that there are 2 problems here a.) Regression b.) Broken feature

Edited by Stefan Huehner