Mattermost, Inc.

Mattermost Gitlab oauth problem

Hey there,

our Gitlab Omnibus setup started having problems with the Mattermost OAuth workflow a few days ago. I’m including some info below. I’d appreciate any pointers, am happy to add any more info you might need.

Summary

Users logged in to Mattermost can use the application.

However, the OAuth workflow doesn’t work any more. After re-direction from the Mattermost to the Gitlab login page, logging in with correct credentials, users receive the message:
Error
Bad Response from token request.

Well, this would be the English version - actually, since our setup is localized, the message is in German: “Fehlerhafte Rückmeldung bei Tokenanfrage”.

Steps to reproduce

  1. Version number
    Gitlab omnibus 11.8.10

  2. Steps to reproduce your issue
    Docker install of Gitlab omnibus. Setup Mattermost OAuth workflow.

Trying to log in to Mattermost correctly redirects to the Gitlab login page. Login with correct credentials yields the message “Bad Response from token request.” Login with wrong credentials yields "Could not authenticate you from Ldapmain because "Invalid credentials for “.”, so contacting our LDAP is not the problem.

  1. Link to the documentation you’re using, noting the step where you encounter the issue.
    n/a

  2. The relevant portion of the Mattermost log file at /var/log/gitlab/mattermost/mattermost.log
    tail -f /var/log/gitlab/mattermost/mattermost.log
    […]
    {“level”:“error”,“ts”:1561383629.897077,“caller”:“api4/oauth.go:492”,“msg”:“AuthorizeOAuthUser: Fehlerhafte Rückmeldung bei Tokenanfrage, response_body={“error”:“invalid_grant”,“error_description”:“The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.”}”}
    […]

Thank you.

Hi @rfreund, as a first step, wondering if these previous threads might help:

amy.blais,

thank you for those links - I hadn’t found the second one and there is quite a lot of useful debugging info there.

However, I have now solved the problem. Turns out, neither Mattermost nor Gitlab was the culprit… we are using an nginx as a reverse proxy. A few days ago, websocket support was turned on for all vhosts - turns out, that breaks Mattermost oauth. Why - no idea, didn’t investigate further :smile: but maybe this info is useful for others with similar problems.

1 Like