<SOLVED> New install of Gitea/Drone - unable to auth into Gitea

Installing Gitea and Drone as docker containers on a test system. This playbook has been working, but something new has happened … From the Drone Welcome screen any attempt at auth into Gitea results in an invalid_request coming back.

Gitea is set up with a default admin user droneadmin, the oauth2 application is created and the client_id and client_secret are stored in an .env file for docker to read as it all starts up (via systemd). The ExecStart looks like this

ExecStart=/usr/bin/docker run --rm --name drone \
    -e TZ=America/New_York \
    --env-file "/stuff/gitea/drone/drone.env" \
    --env-file "/stuff/gitea/gitea/admin.tokens" \
    -p 3001:80 \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /stuff/gitea/drone:/data \
    drone/drone:latest

and the drone.env and admin_tokens looks like this

DRONE_DEBUG=true
DRONE_NETWORK=git

DRONE_LOGS_PRETTY=true
DRONE_LOGS_COLOR=true
DRONE_LOGS_DEBUG=true

DRONE_RPC_SECRET=FcDF5Dxxxxx
# These two for drone-runner and drone-runner--exec
DRONE_RPC_PROTO=http
DRONE_RPC_HOST=xeon.local:3001

DRONE_GITEA_SERVER=http://xeon.local:3000
DRONE_SERVER_PROTO=http
DRONE_SERVER_HOST=xeon.local:3001
DRONE_USER_CREATE=username:droneadmin,admin:true,token:cABb973xxxx
# Can also specify token by adding ",token:<32-char-token>"

DRONE_TOKEN=cABb973xxxx

GITEA_DRONE_TOKEN=0e8dd38d1b22af22fcdfaxxxxxxx
DRONE_GITEA_CLIENT_ID=17408453-6795-4410-89d3-84584fcfea16
DRONE_GITEA_CLIENT_SECRET=gto_nb6h6ngsq2q4tasisxxxxxx

With DRONE_LOGS_DEBUG enabled, a sample docker logs drone --follow results in this

{
  "level": "error",
  "msg": "oauth: authorization error: invalid_request",
  "time": "2022-11-22T18:05:33-05:00"
}
{
  "level": "debug",
  "msg": "cannot authenticate user: invalid_request",
  "time": "2022-11-22T18:05:33-05:00"
}
{
  "fields.time": "2022-11-22T18:05:33-05:00",
  "latency": 181364,
  "level": "debug",
  "method": "GET",
  "msg": "",
  "remote": "192.168.2.103:41190",
  "request": "/login?error=invalid_request\u0026error_description=PKCE+is+required+for+public+clients\u0026state=4d65822107fcfd52",
  "request-id": "2HvGqOVecPyuBmZTzbhuVFTY1LX",
  "time": "2022-11-22T18:05:33-05:00"
}
{
  "fields.time": "2022-11-22T18:05:33-05:00",
  "latency": 42226,
  "level": "debug",
  "method": "GET",
  "msg": "",
  "remote": "192.168.2.103:41190",
  "request": "/login/error?message=invalid_request",
  "request-id": "2HvGqQ8HgZC65e6l96pVLMr6NBs",
  "time": "2022-11-22T18:05:33-05:00"
}
{
  "level": "debug",
  "msg": "api: authentication required",
  "request-id": "2HvGqQe4HR9Fs3YYIxqVWMpFExR",
  "time": "2022-11-22T18:05:33-05:00"
}
{
  "level": "debug",
  "msg": "api: guest access",
  "request-id": "2HvGqQe4HR9Fs3YYIxqVWMpFExR",
  "time": "2022-11-22T18:05:33-05:00"
}

The associated Gitea logs are

2022/11/22 18:05:26 [637d55b6] router: completed GET /login/oauth/authorize?client_id=17408453-6795-4410-89d3-84584fcfea16&redirect_uri=http%3A%2F%2Fxeon.local%3A3001%2Flogin&response_type=code&state=4d65822107fcfd52 for 192.168.2.103:38950, 303 See Other in 0.2ms @ context/auth.go:28(context.Toggle)
2022/11/22 18:05:26 [637d55b6-2] router: completed GET /user/login for 192.168.2.103:38950, 200 OK in 3.0ms @ auth/auth.go:152(auth.SignIn)
2022/11/22 18:05:33 [637d55bd] router: completed POST /user/login for 192.168.2.103:38950, 303 See Other in 35.8ms @ auth/auth.go:177(auth.SignInPost)
2022/11/22 18:05:33 [637d55bd-2] router: completed GET /login/oauth/authorize?client_id=17408453-6795-4410-89d3-84584fcfea16&redirect_uri=http%3A%2F%2Fxeon.local%3A3001%2Flogin&response_type=code&state=4d65822107fcfd52 for 192.168.2.103:38950, 303 See Other in 2.0ms @ auth/oauth.go:361(auth.AuthorizeOAuth)

The Drone error msg "request": "/login?error=invalid_request\u0026error_description=PKCE+is+required+for+public+clients\u0026state=4d65822107fcfd52", is interesting …

This happens for all variations in a clean system, starting from the Drone Welcome screen - all immediately back to the invalid_request

• Only droneadmin user exists in Gitea and Drone, click Continue on Welcome screen, log into Gitea as droneadmin
• New user registered in Gitea (not Drone), log out of Gitea, click Continue on Welcome screen, log into Gitea as that new user
• New user registered in Gitea (not Drone), stay logged in, click Continue on Welcome screen
• New user upgraded to Admin in Gitea
• New user created in Drone via drone user add --admin newuser to match user in Gitea

Just regenerated the Oauth2 DRONE_GITEA_CLIENT_SECRET in Gitea for the newuser, updated the value in the drone.env, restart the Drone container.

Same problem happening

Possibly more information ? On a bare fresh install of gitea/drone, using the drone cmdline to get info drone info shows a couple of duplicate proto lines

half@xeon:/stuff/gitea$ cat /stuff/gitea/drone/drone_cmdline.env

# Used for drone cmdline access
export DRONE_TOKEN=17Ac4fb4Bcb4a58ccf8aE6e27C1bB65C
export DRONE_SERVER=http://xeon.local:3001

# Usage:
# source /stuff/gitea/drone/drone_cmdline.env
# drone info

half@xeon:/stuff/gitea$ source /stuff/gitea/drone/drone_cmdline.env
half@xeon:/stuff/gitea$ drone info
2022/11/23 09:53:18 proto: duplicate proto type registered: PluginSpec
2022/11/23 09:53:18 proto: duplicate proto type registered: PluginPrivilege
User: droneadmin
Email:

Also, when I compare the fresh install on xeon.local to a currently working install on another system (identical setup) I notice these differences in the /stuff/gitea/gitea/conf/app.ini file

• [security] section is missing the SECRET_KEY and INTERNAL_TOKEN items
• [oauth2 section is missing the JWT_SECRET item

How are those generated ?

SOLVED

The problem was that the oauth2 application being generated in Gitea (via api) was not marked as a confidential one. Simply had to add

"confidential_client": true

To the body json in the api call

Hey @Halfwalker, that’s amazing glad you were able to solve the issue and thanks for sharing the update.Do let us know if there are any other issue you are facing or have any query about the product! Thanks