Pipelines: Fail to get accesstoken with oauth config

[steebchen]

I can't set up pipelines with Github:

Fail to get accesstoken with oauth config

I tried to remove and re-add Github config. It works fine to authenticate me as a user but not for pipelines.

Rancher logs aren't helpful:

2019/04/27 19:16:01 [ERROR] Unknown error: Fail to get accesstoken with oauth config

---

Useful	Info
Versions	Rancher v2.2.2 UI: v2.2.41
Route	global-admin.clusters.index

[gitlawr]

The error indicates that Github returns an empty access token. Is it a private Github install? It might be a configuration issue. FYI, here is a similar discussion about that in https://github.com/drone/drone/issues/1435.

[RobbinHabermehl]

We're experiencing this as well, the Rancher version is 2.2.3 though. In this case it's not a private GitHub @gitlawr.

[steebchen]

@gitlawr It worked fine before, and somehow stopped working with the same install (Github login keeps working fine). It's a private Github install but I wouldn't know what could be configured wrong.

[RobbinHabermehl]

It might be worth adding that authentication works fine in our case as well.

[gitlawr]

Do you recall any change before it breaks? Single mode or HA Rancher? Is there anything special in the install like a proxy, firewall between users and the rancher server? Might not be relevant but trying to find a way to reproduce it

[steebchen]

Sadly I don't, afaik I didn't change anything. Single mode. I do have a CDN in front of the rancher server (edge TLS served by the CDN, CDN and the origin (rancher) is protected with TLS) if that is relevant.

[RobbinHabermehl]

Regarding the firewall; I've tried it on three networks thus far and one of those doesn't have a firewall, but it fails on all networks. There's no proxy, CDN, load balancer or whatever either.

Mentioning the word "proxy" I came up with using Charles to analyze the HTTP calls, perhaps that will help finding the cause.

:method | POST
:scheme | https
:path   | /v3/project/[id]/githubPipelineConfigs/p-dhhsg:github?action=testAndApply

{
    "code": "[code]",
    "clientId": "",
    "clientSecret": "",
    "redirectUrl": "https://rancher.domain.ext/verify-auth",
    "inheritAuth": true,
    "hostname": "github.com"
}

As you can see, the clientId and clientSecret are empty indeed.

GitHub is being opened in the pop-up with the following URL:

:method | GET
:scheme | https
:path   | /login/oauth/authorize?client_id=[id]&response_type=code&scope=repo+admin%3Arepo_hook&state=[number]&redirect_uri=https%3A%2F%2Francher.domain.ext%2Fverify-auth

Update: I tried recreating the request using Postman, but then with the correct clientId and clientSecret hoping this would work. Unfortunately it didn't though, the same error was returned:

{
    "baseType": "error",
    "code": "ServerError",
    "message": "Fail to get accesstoken with oauth config",
    "status": 500,
    "type": "error"
}

Update 2: There's the possibility to "Use another OAuth application" on this screen. After choosing this option and entering the same client ID and secret it did work!

[gitlawr]

Thanks for the details. Confirmed as a regression bug that can be reproduced in v2.2.3 by following steps:

1. Enable Github as the global authentication provider.
2. Go to project pipeline page click Authenticate

The workaround is to click Use another OAuth Application, then input the client ID/secret of your OAuth app explicitly as @RobbinHabermehl suggested.

[excieve]

Still happens on 2.3.3 with a slightly different error:

oauth2: server response missing access_token

[tomoki1337]

also running into this with HA 2.3.3 and gitlab, it used to work before.

TestAndApply Error
Fail to get accesstoken with oauth config

Use another OAuth Application worked for github.

[acastellvi]

it happens too on gitlab

Is there any workarround on that for gitlab users?

2020/01/29 10:50:37 [ERROR] Unknown error: Fail to get accesstoken with oauth config

[slei99]

just tried for gitlab with rancher 2.2.10 and it fails too. verified the payload in the post request on "authenticate" button click and it contains the proper values for appid and secret as I dont use github as auth provider there is no "use another OAuth Application" option. It is already "another" Oauth application as I configure it directly

[bsteverink]

Same here, tried to setup a pipeline using Gitlab as the version control provider but cannot get Rancher to authenticate. Get "Fail to get accesstoken with oauth config" message. Have tried using different scopes for the application in Gitlab but that has not resolved it. I host rancher behind a reverse proxy with SSL termination.

[Dylan-DutchAndBold]

Same issue here with a fresh install of rancher and trying to authenticate to the gitlab cloud version.

[alex-shumilov]

Sign me up, I am having the same issue with GitLab. It has appeared right out of blue. Anybody aware of any changes to GitLab OAuth2? My brain has melted down thinking of the way to sniff the service for exact http request & response.

[hadifarnoud]

I get this error with Gitlab.com

TestAndApply Error
Fail to get accesstoken with oauth config

[zgc]

I get this error with Gitlab.com

TestAndApply Error
Fail to get accesstoken with oauth config

+1

[zgc]

it happens too on gitlab

Is there any workarround on that for gitlab users?

2020/01/29 10:50:37 [ERROR] Unknown error: Fail to get accesstoken with oauth config

https://github.com/rancher/rancher/issues/25657#issuecomment-597410043

[gitlawr]

Gitlab related issue is different from the original post, I think we should track it in a separate issue: https://github.com/rancher/rancher/issues/25975

Please see the description, cause and possible workaround there.

[MichaelChen666]

me too, i look at the source code, may be the field 'globalConfig.ClientSecret' in func of testAndApply is not correct, the value is not correct 'github client secret' but the name (cattle-global-data:githubconfig-clientsecret) of secret of 'github client secret'.