openid_connect provider vs gitea fails with 500 error during callback (Request URI must have schema)
Summary
I'm trying to add a gitea instance as an openid_connect auth provider for my gitlab instance. I followed https://docs.gitlab.com/ee/administration/auth/oidc.html finding most of the values to plug in here: https://github.com/matrix-org/synapse/blob/develop/docs/openid.md#gitea.
(Also see gitea oauth docs: https://docs.gitea.io/en-us/oauth2-provider/#supported-oauth2-grants)
Unfortunately when trying this out I get a strange 500 error in gitlab upon calling the callback url:
Started POST "/users/auth/openid_connect" for 5.28.87.22 at 2021-06-05 15:49:32 +0200
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
Parameters: {"authenticity_token"=>"[FILTERED]"}
Completed 200 OK in 0ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 105)
Started GET "/users/auth/openid_connect/callback?code=[FILTERED]&state=XXXXXX" for 5.28.87.22 at 2021-06-05 15:49:32 +0200
ArgumentError (Request URI must have schema. Possibly add 'http://' to the request URI?):
lib/gitlab/middleware/speedscope.rb:13:in `call'
lib/gitlab/request_profiler/middleware.rb:17:in `call'
lib/gitlab/jira/middleware.rb:19:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:21:in `call'
lib/gitlab/middleware/multipart.rb:172:in `call'
lib/gitlab/middleware/read_only/controller.rb:50:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/same_site_cookies.rb:27:in `call'
lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'
lib/gitlab/middleware/request_context.rb:21:in `call'
config/initializers/fix_local_cache_middleware.rb:11:in `call'
lib/gitlab/middleware/rack_multipart_tempfile_factory.rb:19:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:76:in `call'
lib/gitlab/middleware/release_env.rb:12:in `call'When refreshing the (failed login/500 error) page once more I get this error badge:
Could not authenticate you from OpenIDConnect because "Unauthorized client :: client is not authorized".
My gitlab instance is installed from source behind an nginx reverse proxy with https enabled and proxy headers setup accodring to gitlab's https setup docs.
Steps to reproduce
On the gitea side the following redirect URL is set: http://git.bubu1.eu/users/auth/openid_connect/callback
This is the gitlab config:
- { name: 'openid_connect',
label: 'Codeberg',
icon: 'https://bubu1.eu/codeberg.png',
args: {
name: 'openid_connect',
scope: [],
response_type: 'code',
issuer: 'https://codeberg.org/',
client_auth_method: 'client_secret_post',
uid_field: 'login',
send_scope_to_token_endpoint: false,
client_options: {
identifier: '[REDACTED]',
secret: '[REDACTED]',
redirect_uri: 'https://git.bubu1.eu/users/auth/openid_connect/callback',
authorization_endpoint: 'https://codeberg.org/login/oauth/authorize',
token_endpoint: 'https://codeberg.org/login/oauth/access_token',
userinfo_endpoint: 'https://codeberg.org/api/v1/user'
}
}
}The button gets shown correctly but upon authorization on the gitea side returning back to gitlab brings a 500 error with the log posted above.
What is the current bug behavior?
Login with gitea not working
What is the expected correct behavior?
Login with gitea works.
Relevant logs and/or screenshots
See above
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Current User: gitlab Using RVM: no Ruby Version: 3.0.1p64 Gem Version: /usr/lib/ruby/2.7.0/bundler/spec_set.rb:86:in `block in materialize': Could not find rake-13.0.3 in any of the sources (Bundler::GemNotFound) from /usr/lib/ruby/2.7.0/bundler/spec_set.rb:80:in `map!' from /usr/lib/ruby/2.7.0/bundler/spec_set.rb:80:in `materialize' from /usr/lib/ruby/2.7.0/bundler/definition.rb:170:in `specs' from /usr/lib/ruby/2.7.0/bundler/definition.rb:237:in `specs_for' from /usr/lib/ruby/2.7.0/bundler/definition.rb:226:in `requested_specs' from /usr/lib/ruby/2.7.0/bundler/runtime.rb:101:in `block in definition_method' from /usr/lib/ruby/2.7.0/bundler/runtime.rb:20:in `setup' from /usr/lib/ruby/2.7.0/bundler.rb:149:in `setup' from /usr/lib/ruby/2.7.0/bundler/setup.rb:20:in `block in ' from /usr/lib/ruby/2.7.0/bundler/ui/shell.rb:136:in `with_level' from /usr/lib/ruby/2.7.0/bundler/ui/shell.rb:88:in `silence' from /usr/lib/ruby/2.7.0/bundler/setup.rb:20:in `' from :85:in `require' from :85:in `require' Bundler Version:2.7.0 Rake Version: 13.0.3 Redis Version: 6.2.4 Git Version: 2.31.1 Sidekiq Version:5.2.9 Go Version: go1.16.4 linux/amd64 GitLab information Version: 13.12.2 Revision: d98457affdf Directory: /usr/share/webapps/gitlab DB Adapter: PostgreSQL DB Version: 13.2 URL: https://git.bubu1.eu HTTP Clone URL: https://git.bubu1.eu/some-group/some-project.git SSH Clone URL: ssh://gitlab@git.bubu1.eu:5522/some-group/some-project.git Using LDAP: no Using Omniauth: yes Omniauth Providers: github, gitlab, openid_connect GitLab Shell Version: 13.18.0 Repository storage paths: - default: /var/lib/gitlab/repositories GitLab Shell path: /usr/share/webapps/gitlab-shell Git: /usr/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ...Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 13.18.0 ? ... OK (13.18.0) Running /usr/share/webapps/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 0/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... no Try fixing it: Install the init script For more information see: doc/install/installation.md in section "Install Init Script" Please fix the error above and rerun the checks. Init script up-to-date? ... can't check because of previous errors Projects have namespace: ... Marcus / android-dice-game ... yes Marcus / NitroKeyWrapper ... yes Marcus / PrivExt ... yes Marcus / F-Droid Classic ... yes Marcus / fdroidserver ... yes Marcus / CCTG - Mirror ... yes Marcus / LD29 ... yes Marcus / synapse ... yes Marcus / PrivExt Installer ... yes Marcus / FDroid DB Scheme ... yes Marcus / toot ... yes Marcus / testing-project ... yes Marcus / linux ... yes Redis version >= 5.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.3) Git version >= 2.31.0 ? ... yes (2.31.1) Git user has default SSH configuration? ... yes Active users: ... 25 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
I found something vaguely related here: https://stackoverflow.com/a/29125027/1634837 and tried using an http:// callback url as suggested there. This did not make a difference.