console icon indicating copy to clipboard operation
console copied to clipboard

Published 20 hours ago verified publisher icon phasehq

Gitlab OAUTH_CALLBACK_ERROR invalid_client

Open sgohl opened this issue 6 months ago • 12 comments

Describe the bug

After successful login to gitlab, redirect to phase results in error=OAuthCallback / invalid_client

To Reproduce

  • fresh setup with docker compose using https://docs.phase.dev/self-hosting/docker-compose#2-download-the-configurations
  • gitlab as sso (self-hosted, v17.2.1)
  • external loadbalancer (traefik) -> https(ignore self-signed; pass_host_header=true) -> docker:nginx:443
HOST=pass.myacme.corp
HTTP_PROTOCOL=https://
SSO_PROVIDERS=gitlab
GITLAB_CLIENT_ID=e8d0df22dbe15xxxxxxxxxxxxxxxxxxx485aeeec2fcb1bd718ea
GITLAB_CLIENT_SECRET=gloas-2ff8a719c54xxxxxxxxxxxxxxxxxxd86c13b6336a61fd06796e1
GITLAB_AUTH_URL=https://gitlab.myacme.corp

Gitlab (Admin area/instance-wide) Application:

  • Redirect URI: https://phase.myacme.corp/api/auth/callback/gitlab
  • Trusted [ ✔ ]
  • Confidential [ ] (with or without; not working)
  • read_user [ ✔ ]
  1. Open Phase Login page
  2. Click on 'Login with GitLab'
  3. Be redirected to GitLab -> Login -> successful
  4. Be redirected back to Phase -> shows same Login page with URL https://phase.myacme.corp/login?callbackUrl=https%3A%2F%phase.myacme.corp%2F&error=OAuthCallback

docker compose logs -f

phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:20:09 +0000] "GET / HTTP/2.0" 307 32 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"
phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:20:10 +0000] "GET /api/auth/signin?callbackUrl=%2F HTTP/2.0" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"
phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:20:10 +0000] "GET /login?callbackUrl=https%3A%2F%2Fphase.myacme.corp%2F HTTP/2.0" 200 3647 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"

## --- LOGIN HERE -- ##

phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:08:58 +0000] "POST /api/auth/signin/gitlab HTTP/2.0" 200 383 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"
phase-frontend  | [next-auth][error][OAUTH_CALLBACK_ERROR] 
phase-frontend  | https://next-auth.js.org/errors#oauth_callback_error invalid_client (Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.) {
phase-frontend  |   error: OPError: invalid_client (Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.)
phase-frontend  |       at processResponse (/app/node_modules/openid-client/lib/helpers/process_response.js:38:13)
phase-frontend  |       at Client.grant (/app/node_modules/openid-client/lib/client.js:1327:22)
phase-frontend  |       at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
phase-frontend  |       at async Client.oauthCallback (/app/node_modules/openid-client/lib/client.js:603:24)
phase-frontend  |       at async oAuthCallback (/app/node_modules/next-auth/core/lib/oauth/callback.js:111:16)
phase-frontend  |       at async Object.callback (/app/node_modules/next-auth/core/routes/callback.js:52:11)
phase-frontend  |       at async AuthHandler (/app/node_modules/next-auth/core/index.js:208:28)
phase-frontend  |       at async NextAuthApiHandler (/app/node_modules/next-auth/next/index.js:22:19)
phase-frontend  |       at async K (/app/node_modules/next/dist/compiled/next-server/pages-api.runtime.prod.js:20:16853)
phase-frontend  |       at async U.render (/app/node_modules/next/dist/compiled/next-server/pages-api.runtime.prod.js:20:17492) {
phase-frontend  |     name: 'OAuthCallbackError',
phase-frontend  |     code: undefined
phase-frontend  |   },
phase-frontend  |   providerId: 'gitlab',
phase-frontend  |   message: 'invalid_client (Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.)'
phase-frontend  | }
phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:08:59 +0000] "GET /api/auth/callback/gitlab?code=3161d2622ef1f66162089127d940912537feb186e7800c898d4348566874f430&state=LpaRDSWebzSDKQt2_EWU7yB9OWHYLVHr6JZZSnW5fGQ HTTP/2.0" 302 0 "https://gitlab.myacme.corp/" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"
phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:18:57 +0000] "GET /api/auth/error?error=OAuthCallback HTTP/2.0" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"
phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:18:57 +0000] "GET /api/auth/signin?error=OAuthCallback HTTP/2.0" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"
phase-nginx     | 192.168.55.197 - - [31/Jul/2024:16:18:58 +0000] "GET /login?callbackUrl=https%3A%2F%2Fphase.myacme.corp%2F&error=OAuthCallback HTTP/2.0" 200 3647 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0" "10.242.2.57"

Expected behavior

Successful Login

Platform you are having the issue on:

docker version 24.0.5

Additional context

I assume this is not an actual bug, but if it's a configuration issue, I don't know what I've done wrong. Documentation might lack an important information

sgohl avatar Jul 31 '24 16:07 sgohl