Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-63536

Login via Gitlab fails with insufficient_scope


      Since this morning our Jenkins users are unable to access it, seeing a "Oops! A problem occurred while processing the request." page. Inspecting the logs shows this error message:

      2020-08-27 15:24:11.091+0000 [id=62]    WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID 9ed2da46-1473-4140-b497-132bdbaee706
      java.io.IOException: Server returned HTTP response code: 403 for URL: https://gitlab.com/api/v4/groups?per_page=100
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1900)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
              at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
              at org.gitlab.api.http.GitlabHTTPRequestor.parse(GitlabHTTPRequestor.java:387)
              at org.gitlab.api.http.GitlabHTTPRequestor.access$200(GitlabHTTPRequestor.java:35)
              at org.gitlab.api.http.GitlabHTTPRequestor$1.fetch(GitlabHTTPRequestor.java:256)
      Caused: org.gitlab.api.GitlabAPIException: {"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope"
      :"api read_api"}
              at org.gitlab.api.http.GitlabHTTPRequestor.handleAPIError(GitlabHTTPRequestor.java:432)
              at org.gitlab.api.http.GitlabHTTPRequestor.access$300(GitlabHTTPRequestor.java:35)
              at org.gitlab.api.http.GitlabHTTPRequestor$1.fetch(GitlabHTTPRequestor.java:260)

      The Jenkins application had been configured a long time ago according to instructions.

      I tried removing the application and configuring it from scratch (and then updating the tokens in Jenkins' config.xml). Currently it has the following scopes:

      • read_user
      • api
      • read_api
      • openid

      What I'm noticing is that the first time after adding the application and accessing Jenkins I'm taken to a Gitlab page that asks to authorize Jenkins, and it lists only one permission - " Read the authenticated user's personal information". After clicking authorize I'm taken back to the aforementioned Jenkins error page. On Gitlab's Applications page I can see that Jenkins with the only scope of `read_user`. I can also see the number of clients incrementing next to the application name every time a new user tries to access Jenkins.

      Additional potentially relevant details:

      1. Our team is using Gitlab.com, not a self-hosted installation, so there's no Admin section that's mentioned in the docs. However, being a group admin, I'm able to add the application via Settings. I believe this is how I originally configured it a couple of years ago.
      2. When setting up the application, if I only give it the `api` scope as suggested in the plugin docs, the Gitlab "authorize" page doesn't list any permissions for the application, and clicking Authorize results in Jenkins being added with no scopes (similar to [this bug|https://gitlab.com/gitlab-org/gitlab/-/issues/230886], except it's the reverse situation - adding `api` doesn't seem to imply `read_user`). It does seem that `read_user` is a required scope (or the plugin incorrectly requests scopes from Gitlab?).

            elhabib_med Mohamed El Habib
            dskrvk Dmitry Erastov
            0 Vote for this issue
            1 Start watching this issue