Chronograf / GitLab impossible to get authentication working

1

When Chronograf calls back to GitLab, it receives the following response: The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.

Here’s my environment:

GENERIC_CLIENT_ID=be052001f57be14542bd64ea5083ae2fe39290b6cf24407f828711d1f9aff0e4
GENERIC_CLIENT_SECRET=xxxx
GENERIC_AUTH_URL=https://gitlab.example.com/oauth/authorize?redirect_uri=https%3A%2F%2Ftick.example.com%2Foauth%2Fgitlab%2Fcallback%26response_type%3Dcode
GENERIC_TOKEN_URL=https://gitlab.example.com/oauth/token?redirect_uri=https%3A%2F%2Ftick.example.com%2Foauth%2Fgitlab%2Fcallback%26grant_type%3Dauthorization_code
PUBLIC_URL=https://tick.example.com
TOKEN_SECRET=mysupersecret
GENERIC_SCOPES=read_user
GENERIC_NAME=gitlab

Attached is screenshot from GitLab. I did a Tcpdump on the gitlab side, it appears Chronograf is calling back to GitLab alright, but GitLab don’t like it.

00%20AM
Screen Shot 2018-09-27 at 10.36.00 AM.png822×390 25.5 KB

2

Both GitLab and Chronograf are on seperate VMs. The have haproxy running locally to terminate TLS.

3

Does anyone have this currently working? I’d love to see your config

4

Hi exabrial, I don’t know too much about GitLab Oauth, but here’s what i set in order to get it to work:

# GitLab OAuth
export GENERIC_NAME="gitlab"
export GENERIC_CLIENT_ID="<from gitlab>"
export GENERIC_CLIENT_SECRET="<from gitlab>"
export GENERIC_AUTH_URL="https://gitlab.com/oauth/authorize"
export GENERIC_TOKEN_URL="https://gitlab.com/oauth/token"
export TOKEN_SECRET=nothingtoseehere
export GENERIC_SCOPES="api,openid,read_user"
export PUBLIC_URL="http://localhost:8888"
export GENERIC_API_URL="https://gitlab.com/api/v3/user"

And then in my app, i set the callback url to be: http://localhost:8888/oauth/gitlab/callback

That was working on the latest build from master. I think you are missing the GENERIC_API_URL and potentially some of the GENERIC_SCOPES.

Thanks,
Russ

1 Like
5

Hey Russ thanks for the reply! That did the trick. It looks like the Documentation needs a few updates. I was also able to cut the scopes down to “openid,read_user” which is probably a little more secure.