When Chronograf calls back to GitLab, it receives the following response: The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
Here’s my environment:
GENERIC_CLIENT_ID=be052001f57be14542bd64ea5083ae2fe39290b6cf24407f828711d1f9aff0e4
GENERIC_CLIENT_SECRET=xxxx
GENERIC_AUTH_URL=https://gitlab.example.com/oauth/authorize?redirect_uri=https%3A%2F%2Ftick.example.com%2Foauth%2Fgitlab%2Fcallback%26response_type%3Dcode
GENERIC_TOKEN_URL=https://gitlab.example.com/oauth/token?redirect_uri=https%3A%2F%2Ftick.example.com%2Foauth%2Fgitlab%2Fcallback%26grant_type%3Dauthorization_code
PUBLIC_URL=https://tick.example.com
TOKEN_SECRET=mysupersecret
GENERIC_SCOPES=read_user
GENERIC_NAME=gitlab
Attached is screenshot from GitLab. I did a Tcpdump on the gitlab side, it appears Chronograf is calling back to GitLab alright, but GitLab don’t like it.
Both GitLab and Chronograf are on seperate VMs. The have haproxy running locally to terminate TLS.
Does anyone have this currently working? I’d love to see your config
Hi exabrial, I don’t know too much about GitLab Oauth, but here’s what i set in order to get it to work:
# GitLab OAuth
export GENERIC_NAME="gitlab"
export GENERIC_CLIENT_ID="<from gitlab>"
export GENERIC_CLIENT_SECRET="<from gitlab>"
export GENERIC_AUTH_URL="https://gitlab.com/oauth/authorize"
export GENERIC_TOKEN_URL="https://gitlab.com/oauth/token"
export TOKEN_SECRET=nothingtoseehere
export GENERIC_SCOPES="api,openid,read_user"
export PUBLIC_URL="http://localhost:8888"
export GENERIC_API_URL="https://gitlab.com/api/v3/user"
And then in my app, i set the callback url to be: http://localhost:8888/oauth/gitlab/callback
That was working on the latest build from master. I think you are missing the GENERIC_API_URL
and potentially some of the GENERIC_SCOPES
.
Thanks,
Russ
1 Like
Hey Russ thanks for the reply! That did the trick. It looks like the Documentation needs a few updates. I was also able to cut the scopes down to “openid,read_user” which is probably a little more secure.