Open NexZhu opened 1 year ago
Help needed🙏
Which provider did you use in fact?
@lunny https://kanidm.com/
Yes, with Kanidm it had worked once, but I've upgraded Gitea version since. I also logged the response from Authelia which is working, and compared with the Kanidm one, which has one more field refresh_token
, I don't think it could be the cause though.
I can reproduce that (found this issue by googling for the very same problem). Following...
According to this writeup, it rather seems to be an issue with kanidm... https://ashhhleyyy.dev/blog/2023-02-05-from-keycloak-to-kanidm
@pfalzsocial According to the blog post you posted, it should work with the latest Kanidm, however it's failing for me with the latest Kanidm 1.1.0-beta.13
. Also Gitea complaining server response missing access_token
when it actually exists, is at least not an accurate error message, we still need some help from the Gitea team to find out what's the real cause of the 500 error.
@lunny @techknowlogick Any advice how I can debug further?
@NexZhu See the discussion here, this seems to be a fixed issue on Kanidm's side: https://github.com/kanidm/kanidm/discussions/2058
Though I do agree that Gitea's error message could do with refinement to indicate the actual problem.
The issue is that Kanidm was incorrectly returning a response without a correct content type header (for anyone who wants to know the answer without having to dig through all the issues/code). This is resolved in our devel
images aka rc.14
. Sorry about the issues you had here @NexZhu :(
I have the same issue, on my first run to connect with GitHub I have web/auth/oauth.go:937:SignInOAuthCallback() [E] UserSignIn: could not find a matching session for this request
. Then I go back to login and try once more, and it works.
Reproduced on different users.
This bug has been there for years, I only report it now
@wxiaoguang should I open a new issue for GitHub ?
I also have DISABLE_REGISTRATION: true
I have the same issue, on my first run to connect with GitHub I have
web/auth/oauth.go:937:SignInOAuthCallback() [E] UserSignIn: could not find a matching session for this request
. Then I go back to login and try once more, and it works. Reproduced on different users.This bug has been there for years, I only report it now
If it is a different problem, feel free to open a new issue with a reproducible setup (ideally by a docker compose with detailed steps), then if some people have time, they would take a look.
I believe we are running into the same issue with OIDC on Gitea 1.21.7. In our case, we are authenticating against an Azure B2C tenant with a custom user flow. After we authenticate in the tenant, it redirects to the GItea callback and gives us error 500.
I stood up a dummy authentik docker to test this Gitea OIDC with and it works fine in the same instance. Something specific to the Azure B2C is causing the problem.
2024/03/06 02:46:35 ...rs/web/auth/oauth.go:937:SignInOAuthCallback() [E] UserSignIn: oauth2: server response missing access_token
2024/03/06 02:46:35 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/azureb2c/callback?state=767d0f86-c4ef-4012-a7f3-8049791c792f&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMCIsInppcCI6IkRlZmxhdGUiLCJzZXIiOiIxLjAifQ..OUaJNMESA7glOvJ3.g_59tvq-jd_9dW-O5YEtm5lcD-K4Pne6BETJMd7cXVB0_uSLYVAEsgAr7e-CmJ0ImfS2hkTVf_sGqyj2WunK2CugpZGNgWG2WZcjkrAi2G8dVy-rOrRgO3UKwN35uI-LZTJ8F0SX8xdmv6ML_iPzD50bZzDxLtMFDU3u5Uo4BVLXqFxHyvYf4kZ2hNkT1Fs1YgitHUhGbmhN9HMEsA2cEplKYVrsAWl6KpH0-mDbIL6ENuir78Cg1-0ya23DXZpTO9vbBtOGhcHWUIBbXOrgBUaQQM0kdRo0voOqBVRY6uSZMLkDKLkBAHijffBkH4eA6TjnxBuJCvMiExpLniJriiTkHjE2wyjzG0KNNEosBZhxzdiw5P1ve3XaLyJTjj3__6viD6TJmXt3XPL1-k4_vXabsvfolXHwvL77Ra15nx0OS9I8Ibxjl9EjmI1a4rlh04lEG0PbxglhXj9w0C1MKAq46XEN.f4nXicml_eHJ8BKwMOYp6w for 10.244.2.142:47874, 500 Internal Server Error in 642.6ms @ auth/oauth.go:886(auth.SignInOAuthCallback)
Setup in Gitea authentication:
Description
Hi, I'm trying to use kanidm as OIDC authentication source for Gitea, it used to work for the previous version of Gitea (I forgot the version), I've upgraded Gitea to the latest v1.20.2 since, and now after redirecting back to
/usr/oauth2/Kanidm/callback
, the page shows 500 and Gitea's error log says:Which is strange, because on the Kanidm side there's no error and I've log the HTTP response with a debug reverse proxy in the middle, and access_token clearly exists:
I have not renamed the OAuth2 application. It used to work with older version of Gitea, so I think the OIDC provider is fine, could this be a bug in the latest version?
Gitea Version
1.20.2
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
K8s
How are you running Gitea?
K8s with the official Helm chart
Database
PostgreSQL