OAuth token returns invalid_grant error
Summary
While generating oauth token for root user with grant_type password I am getting 400 error over some of the self managed Omnibus GitLab.
Steps to reproduce
- Open backend terminal of self managed GitLab.
- Run curl command :
curl -v --request POST --url 'https://xyz.com/gitlab/oauth/token' --header 'content-type: application/json' --data "{ \"grant_type\": \"password\", \"username\": \"root\", \"password\": \"${GITLAB_ROOT_PASSWORD}\" }"
- Command respond with error.
Example Project
What is the current bug behavior?
It gives error as :
< Www-Authenticate: Bearer realm="Doorkeeper", error="invalid_grant", error_description="The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
What is the expected correct behavior?
It should return token
Relevant logs and/or screenshots
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
Completed 200 OK in 1ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 90)
Started POST "/gitlab/oauth/token" for x.x.x.x at 2024-04-03 09:33:12 +0000
Processing by Oauth::TokensController#create as HTML
Parameters: {"password"=>"[FILTERED]", "grant_type"=>"password", "username"=>"root", "token"=>{"password"=>"[FILTERED]", "grant_type"=>"password", "username"=>"root"}}
Completed 400 Bad Request in 9ms (Views: 0.2ms | ActiveRecord: 2.1ms | Elasticsearch: 0.0ms | Allocations: 1324)
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Current User: git Using RVM: no Ruby Version: 2.7.7p221 Gem Version: 3.1.6 Bundler Version:2.3.15 Rake Version: 13.0.6 Redis Version: 6.2.11 Sidekiq Version:6.5.7 Go Version: unknown GitLab information Version: 15.9.8 Revision: 6b5613ba460 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 12.15 URL: https://xyz.com/gitlab HTTP Clone URL: https://xyz.com/gitlab/some-group/some-project.git SSH Clone URL: ssh://git@xyz.com:2224/some-group/some-project.git Using LDAP: yes Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 14.17.0 Repository storages: - default: unix:/var/opt/gitlab/gitaly/gitaly.socket GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 14.17.0 ? ... OK (14.17.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/2
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 100 users of 100 limit.
Checking LDAP ... Finished
Checking GitLab App ...
Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Cable config exists? ... yes Resque config exists? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units) Projects have namespace: ... 62/1 ... yes 62/2 ... yes 123/3 ... yes 123/5 ... yes 123/6 ... yes 55/7 ... yes 55/8 ... yes 55/9 ... yes 123/10 ... yes 123/11 ... yes 123/12 ... yes 123/13 ... yes 123/14 ... yes 123/15 ... yes 123/16 ... yes 123/17 ... yes 123/18 ... yes 123/19 ... yes 142/20 ... yes 123/21 ... yes 66/22 ... yes 123/24 ... yes 123/25 ... yes 123/27 ... yes 123/28 ... yes 191/29 ... yes 191/30 ... yes 191/31 ... yes 123/32 ... yes 191/34 ... yes 191/35 ... yes 191/36 ... yes 191/37 ... yes 191/38 ... yes 72/40 ... yes 191/42 ... yes 191/44 ... yes 191/45 ... yes 123/47 ... yes 191/48 ... yes 191/49 ... yes 191/50 ... yes 191/51 ... yes 206/53 ... yes 206/54 ... yes 206/55 ... yes 206/56 ... yes 206/57 ... yes 206/58 ... yes 206/59 ... yes 206/60 ... yes 206/61 ... yes 206/62 ... yes 206/63 ... yes 206/64 ... yes 206/67 ... yes 207/68 ... yes 207/69 ... yes 207/70 ... yes 207/71 ... yes 207/72 ... yes 207/73 ... yes 207/74 ... yes 207/75 ... yes 207/76 ... yes 207/77 ... yes 207/78 ... yes 207/79 ... yes 207/80 ... yes 207/81 ... yes 209/82 ... yes 191/83 ... yes 123/84 ... yes 123/85 ... yes 191/86 ... yes 117/87 ... yes 123/88 ... yes 191/89 ... yes 191/91 ... yes 191/92 ... yes 191/95 ... yes 206/100 ... yes 206/101 ... yes 191/102 ... yes 209/103 ... yes 209/105 ... yes 93/106 ... yes 123/107 ... yes 123/108 ... yes 123/110 ... yes 209/111 ... yes 207/112 ... yes 123/113 ... yes 123/114 ... yes 246/115 ... yes 217/116 ... yes 123/117 ... yes 123/119 ... yes 123/120 ... yes 367/121 ... yes 367/122 ... yes 367/124 ... yes 378/125 ... yes 217/126 ... yes Redis version >= 6.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.7) Git user has default SSH configuration? ... yes Active users: ... 191 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
See #454286 (comment 1867091118) for the workaround, and the change to logging to respond with a better message