First authorization via OAUTH fails

[Remmert-PBE]

Description

The first authorization attempt after some hours fails, while the second one directly afterwards succeeds:

== 1. try ==
git.exe push --progress  -- "origin" master:master
remote: Verify
fatal: Authentication failed for 'https://git.company.intern/Organization/Product.git/'

git did not exit cleanly (exit code 128) (3687 ms @ 12.06.2024 14:38:16)

== 2. try ==
git.exe push --progress  -- "origin" master:master
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 20 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 1.03 KiB | 1.03 MiB/s, done.
Total 3 (delta 2), reused 0 (delta 0), pack-reused 0 (from 0)
remote: . Processing 1 references
remote: Processed 1 references in total
To https://git.company.intern/Organization/Product.git
11111111..111111 master -> master

Success (6407 ms @ 12.06.2024 14:38:34)

The gitea logfile shows that it tries to login with the user "OAUTH_USER" to our LDAP server, like it is saved by the Git Credential Manager:

2024/06/24 07:53:04 ...eb/routing/logger.go:102:func1() [I] router: completed GET /Organization/Product.git/info/refs?service=git-receive-pack for 192.168.0.10:0, 401 Unauthorized in 4.9ms @ repo/githttp.go:532(repo.GetInfoRefs)
2024/06/24 07:53:08 ...dap/source_search.go:95:findUserDN() [D] Failed search using filter[(&(objectCategory=Person)(|(memberOf=CN=git-developer,OU=Securitygroups,OU=Location,DC=company,DC=intern)(memberOf=CN=git-admin,OU=Securitygroups,OU=Location,DC=company,DC=intern)(memberOf=CN=git-service,OU=Securitygroups,OU=Location,DC=company,DC=intern))(sAMAccountName=OAUTH_USER)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))]: <nil>
2024/06/24 07:53:08 ...vices/auth/signin.go:114:UserSignIn() [D] Failed to login 'OAUTH_USER' via 'CompanyAD': user does not exist [uid: 0, name: OAUTH_USER, keyid: 0]
2024/06/24 07:53:08 routers/web/web.go:123:func7() [E] Failed to verify user: user does not exist [uid: 0, name: OAUTH_USER, keyid: 0]
2024/06/24 07:53:08 ...eb/routing/logger.go:102:func1() [I] router: completed GET /Organization/Product.git/info/refs?service=git-receive-pack for 192.168.0.10:0, 401 Unauthorized in 137.8ms @ web/web.go:120(web.Routes.webAuth)
2024/06/24 07:53:08 ...dap/source_search.go:95:findUserDN() [D] Failed search using filter[(&(objectCategory=Person)(|(memberOf=CN=git-developer,OU=Securitygroups,OU=Location,DC=company,DC=intern)(memberOf=CN=git-admin,OU=Securitygroups,OU=Location,DC=company,DC=intern)(memberOf=CN=git-service,OU=Securitygroups,OU=Location,DC=company,DC=intern))(sAMAccountName=OAUTH_USER)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))]: <nil>
2024/06/24 07:53:08 ...vices/auth/signin.go:114:UserSignIn() [D] Failed to login 'OAUTH_USER' via 'CompanyAD': user does not exist [uid: 0, name: OAUTH_USER, keyid: 0]
2024/06/24 07:53:08 routers/web/web.go:123:func7() [E] Failed to verify user: user does not exist [uid: 0, name: OAUTH_USER, keyid: 0]
2024/06/24 07:53:08 ...eb/routing/logger.go:102:func1() [I] router: completed GET /Organization/Product.git/info/refs?service=git-receive-pack for 192.168.0.10:0, 401 Unauthorized in 59.1ms @ web/web.go:120(web.Routes.webAuth)

2024/06/24 07:53:11 ...eb/routing/logger.go:102:func1() [I] router: completed GET /Organization/Product.git/info/refs?service=git-receive-pack for 192.168.0.10:0, 401 Unauthorized in 1.8ms @ repo/githttp.go:532(repo.GetInfoRefs)
2024/06/24 07:53:11 ...eb/routing/logger.go:102:func1() [I] router: completed POST /login/oauth/access_token for 192.168.0.10:0, 200 OK in 23.1ms @ auth/oauth.go:618(auth.AccessTokenOAuth)
2024/06/24 07:53:11 ...dules/git/command.go:290:Run() [D] git.Command.RunDir(d:\Data\Repositories\Organization\Product.git): "C:\\Program Files\\Git\\cmd\\git.exe" -c protocol.version=2 -c credential.helper= -c filter.lfs.required= -c filter.lfs.smudge= -c filter.lfs.clean= receive-pack --stateless-rpc --advertise-refs .
2024/06/24 07:53:12 ...eb/routing/logger.go:102:func1() [I] router: completed GET /Organization/Product.git/info/refs?service=git-receive-pack for 192.168.0.10:0, 200 OK in 96.3ms @ repo/githttp.go:532(repo.GetInfoRefs)

The authorization after the initial error works for a few hours, but after a while it reappears (token becomes invalid?).

The credential settings in git are:

credential.helper=
credential.helper=C:/Users/pbe/.dotnet/tools/git-credential-manager.exe
credential.https://git.company.intern.provider=generic

Gitea Version

1.21.11

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/Remmert-PBE/959e1e243a2d8243a757aef754571270

Screenshots

No response

Git Version

git version 2.45.2.windows.1

Operating System

Windows Server 2019 Standard

How are you running Gitea?

Running as a service on a windows server. Behind a nginx reverse proxy (configured like the example in the gitea docs)

Database

MSSQL

[Xulunix]

I noticed the same issue using a similar setup (OIDC instead of LDAP). It works if tried again but some tools check the remote periodically and ask the user to login again if authentication fails.

[yp05327]

It seems that this issue is similar to #30991?

Maybe OAUTH_USER comes from here: https://github.com/git-ecosystem/git-credential-manager/blob/e124b8bb8f4a53301e0d9d947c075519f75ff222/src/shared/Core/GenericOAuthConfig.cs#L143

[yp05327]

I found a related issue ( maybe ) in GCM: https://github.com/git-ecosystem/git-credential-manager/issues/1408

Maybe this is a problem from upstream (not directly related) ?

[Remmert-PBE]

@yp05327 Good find, thats exactly what happens on my system. I ran a GCM_TRACE a few days back and it is similar to the one in the gcm issue. In my log the first push ends with the command erase and only on the 2nd push a new token is saved.

See https://gist.github.com/Remmert-PBE/1ccecd8d82c4b19d700835bff1b3567b

Now the question is, which tool is at fault?