Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
Jenkins 2.254, 2.252
gitlab-oauth-plugin 1.6, 1.5
Gitlab.com
Description
Since this morning our Jenkins users are unable to access it, seeing a "Oops! A problem occurred while processing the request." page. Inspecting the logs shows this error message:
2020-08-27 15:24:11.091+0000 [id=62] WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID 9ed2da46-1473-4140-b497-132bdbaee706
java.io.IOException: Server returned HTTP response code: 403 for URL: https://gitlab.com/api/v4/groups?per_page=100
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1900)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
at org.gitlab.api.http.GitlabHTTPRequestor.parse(GitlabHTTPRequestor.java:387)
at org.gitlab.api.http.GitlabHTTPRequestor.access$200(GitlabHTTPRequestor.java:35)
at org.gitlab.api.http.GitlabHTTPRequestor$1.fetch(GitlabHTTPRequestor.java:256)
Caused: org.gitlab.api.GitlabAPIException: {"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope"
:"api read_api"}
at org.gitlab.api.http.GitlabHTTPRequestor.handleAPIError(GitlabHTTPRequestor.java:432)
at org.gitlab.api.http.GitlabHTTPRequestor.access$300(GitlabHTTPRequestor.java:35)
at org.gitlab.api.http.GitlabHTTPRequestor$1.fetch(GitlabHTTPRequestor.java:260)
...
The Jenkins application had been configured a long time ago according to instructions.
I tried removing the application and configuring it from scratch (and then updating the tokens in Jenkins' config.xml). Currently it has the following scopes:
- read_user
- api
- read_api
- openid
What I'm noticing is that the first time after adding the application and accessing Jenkins I'm taken to a Gitlab page that asks to authorize Jenkins, and it lists only one permission - " Read the authenticated user's personal information". After clicking authorize I'm taken back to the aforementioned Jenkins error page. On Gitlab's Applications page I can see that Jenkins with the only scope of `read_user`. I can also see the number of clients incrementing next to the application name every time a new user tries to access Jenkins.
Additional potentially relevant details:
- Our team is using Gitlab.com, not a self-hosted installation, so there's no Admin section that's mentioned in the docs. However, being a group admin, I'm able to add the application via Settings. I believe this is how I originally configured it a couple of years ago.
- When setting up the application, if I only give it the `api` scope as suggested in the plugin docs, the Gitlab "authorize" page doesn't list any permissions for the application, and clicking Authorize results in Jenkins being added with no scopes (similar to [this bug|https://gitlab.com/gitlab-org/gitlab/-/issues/230886], except it's the reverse situation - adding `api` doesn't seem to imply `read_user`). It does seem that `read_user` is a required scope (or the plugin incorrectly requests scopes from Gitlab?).
Attachments
Activity
Dmitry Erastov
added a comment - Fix merged: https://github.com/jenkinsci/gitlab-oauth-plugin/commit/45838752c9299a90465254b279c9b5063ff7e243
Dmitry Erastov
added a comment - Fix merged: https://github.com/jenkinsci/gitlab-oauth-plugin/commit/45838752c9299a90465254b279c9b5063ff7e243 
It looks like the root cause of this is a malformed Gitlab authorize URL that lacks the scope parameter (so read_user is granted by default). If I manually append &scope=api Jenkins gets the api scope, and the issue is fixed.
Ref: https://docs.gitlab.com/ee/api/oauth2.html#web-application-flow