Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63536

Login via Gitlab fails with insufficient_scope

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Since this morning our Jenkins users are unable to access it, seeing a "Oops! A problem occurred while processing the request." page. Inspecting the logs shows this error message:

      2020-08-27 15:24:11.091+0000 [id=62]    WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID 9ed2da46-1473-4140-b497-132bdbaee706
      java.io.IOException: Server returned HTTP response code: 403 for URL: https://gitlab.com/api/v4/groups?per_page=100
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1900)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
              at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
              at org.gitlab.api.http.GitlabHTTPRequestor.parse(GitlabHTTPRequestor.java:387)
              at org.gitlab.api.http.GitlabHTTPRequestor.access$200(GitlabHTTPRequestor.java:35)
              at org.gitlab.api.http.GitlabHTTPRequestor$1.fetch(GitlabHTTPRequestor.java:256)
      Caused: org.gitlab.api.GitlabAPIException: {"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope"
      :"api read_api"}
              at org.gitlab.api.http.GitlabHTTPRequestor.handleAPIError(GitlabHTTPRequestor.java:432)
              at org.gitlab.api.http.GitlabHTTPRequestor.access$300(GitlabHTTPRequestor.java:35)
              at org.gitlab.api.http.GitlabHTTPRequestor$1.fetch(GitlabHTTPRequestor.java:260)
      ...
      

      The Jenkins application had been configured a long time ago according to instructions.

      I tried removing the application and configuring it from scratch (and then updating the tokens in Jenkins' config.xml). Currently it has the following scopes:

      • read_user
      • api
      • read_api
      • openid

      What I'm noticing is that the first time after adding the application and accessing Jenkins I'm taken to a Gitlab page that asks to authorize Jenkins, and it lists only one permission - " Read the authenticated user's personal information". After clicking authorize I'm taken back to the aforementioned Jenkins error page. On Gitlab's Applications page I can see that Jenkins with the only scope of `read_user`. I can also see the number of clients incrementing next to the application name every time a new user tries to access Jenkins.

      Additional potentially relevant details:

      1. Our team is using Gitlab.com, not a self-hosted installation, so there's no Admin section that's mentioned in the docs. However, being a group admin, I'm able to add the application via Settings. I believe this is how I originally configured it a couple of years ago.
      2. When setting up the application, if I only give it the `api` scope as suggested in the plugin docs, the Gitlab "authorize" page doesn't list any permissions for the application, and clicking Authorize results in Jenkins being added with no scopes (similar to [this bug|https://gitlab.com/gitlab-org/gitlab/-/issues/230886], except it's the reverse situation - adding `api` doesn't seem to imply `read_user`). It does seem that `read_user` is a required scope (or the plugin incorrectly requests scopes from Gitlab?).

        Attachments

          Activity

          Hide
          dskrvk Dmitry Erastov added a comment - - edited

          It looks like the root cause of this is a malformed Gitlab authorize URL that lacks the scope parameter (so read_user is granted by default). If I manually append &scope=api Jenkins gets the api scope, and the issue is fixed.

          Ref: https://docs.gitlab.com/ee/api/oauth2.html#web-application-flow

          Show
          dskrvk Dmitry Erastov added a comment - - edited It looks like the root cause of this is a malformed Gitlab authorize URL that lacks the scope parameter (so read_user is granted by default). If I manually append &scope=api Jenkins gets the api scope, and the issue is fixed. Ref: https://docs.gitlab.com/ee/api/oauth2.html#web-application-flow
          Show
          dskrvk Dmitry Erastov added a comment - Fix merged: https://github.com/jenkinsci/gitlab-oauth-plugin/commit/45838752c9299a90465254b279c9b5063ff7e243

            People

            Assignee:
            elhabib_med Mohamed El Habib
            Reporter:
            dskrvk Dmitry Erastov
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: