Gitlab Auth - Bad response from token request

Troubleshooting
1

Summary
I’m trying to setup gitlab auth integration and I get a “Bad response from token request” error

Steps to reproduce
Self-Hosted Mattermost 7.8.5 + Nginx proxy with self signed certificate and tls termination (nginx configuration from official doc)
Self-Hosted Gitlab Omnibus 15.7 with self-signed certificate
Mattermost and Gitlab on separate servers

Expected behavior
Working Mattermost loging through Gitlab auth

Observed behavior
Hello community, I’m trying to setup Gitlab auth for Mattermost but I’m having issue, I saw a lot of post about “bad response from token request” error but I cannot find a solution for my case.
As described before, I have a self hosted Mattermost with an Nginx proxy with self signed certificate and tls termination, and a self hosted Gitlab with self signed certificate too.

Here is my Mattermost config (relevant part for Gitlab integration) :

"SiteURL": "http://chat.example.local"
...
"EnableInsecureOutgoingConnections": true
...
"GitLabSettings": {
        "Enable": true,
        "Secret": "mysecret",
        "Id": "myid",
        "Scope": "",
        "AuthEndpoint": "https://gitlab.example.local/oauth/authorize",
        "TokenEndpoint": "https://gitlab.example.local/oauth/token",
        "UserAPIEndpoint": "https://gitlab.example.local/api/v4/user",
        "DiscoveryEndpoint": "",
        "ButtonText": "",
        "ButtonColor": ""
    }

Gitlab configuration :

external_url 'https://gitlab.example.local'
...
mattermost_external_url 'http://chat.example.local'
mattermost_nginx['redirect_http_to_https'] = false
mattermost_nginx['ssl_certificate'] = "/etc/gitlab/ssl/mattermost-nginx.crt"
mattermost_nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/mattermost-nginx.key"
...
mattermost['gitlab_auth_endpoint'] = "https://gitlab.example.local/oauth/authorize"
mattermost['gitlab_token_endpoint'] = "https://gitlab.example.local/oauth/token"
mattermost['gitlab_user_api_endpoint'] = "https://gitlab.example.local/api/v4/user"

When I try to authenticate myself I get the “bad response from token request error” :

Mattermost logs:

{"timestamp":"2023-05-23 11:58:36.143 +02:00","level":"error","msg":"Bad response from token request.","caller":"web/context.go:117","path":"/signup/gitlab/complete","request_id":"7uz4xxxxxxxxxxxqt4h","ip_addr":"xxx.xxx.xxx.xxx","user_id":"","method":"GET","err_where":"AuthorizeOAuthUser","http_code":500,"error":"AuthorizeOAuthUser: Erreur lors de la récupération du jeton, response_body={\"error\":\"invalid_grant\",\"error_description\":\"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.\"}, status_code=400, error=<nil>"}

Gitlab logs:

xxx.xxx.xxx.xxx - - [23/May/2023:12:02:31 +0200] "GET /oauth/authorize?response_type=code&client_id=zexxxxxxxxxxxxxxg25Yw&redirect_uri=http%3A%2F%2Fchat.example.local%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3xxxxxxxxxxxxxxxxxxxxFsc2UiLCJ0b2tlbiI6ImV3amhxxxxxxxxxxxxxxxxxzh0NTk5xxxxxxxxxxxxxxxxh6Zng1NnFjZjxxxxxxxxxxxxxxG4ifQ%3D%3D HTTP/2.0" 200 588 "" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" 2.35
yyy.yyy.yyy.yyy (Mattermost IP) - - [23/May/2023:12:02:31 +0200] "POST /oauth/token HTTP/1.1" 400 213 "" "Mattermost-Bot/1.1" -

I have tried different parameters but I cannot get it to work, I don’t see what I’m missing, can anyone help me ?

Best regards,

Frédérick

2

Hi Frédérick and welcome to the Mattermost forums!

I’m not sure but I think this will only work if Mattermost is also running with https, since you said that you’re using Mattermost behind an nginx proxy with a self signed certificate I’m wondering why your SiteUrl and mattermost_exteernal_url still point to the http version - did you already try to switch to https and see if you can reproduce the problem?

3

Hello agriesser,

Thank you for your reply, I did try with https and also with redirect_http_to_https set to true but I didn’t manage to make it work.

However I tried to add TLS directly on Mattermost Server while keeping Nginx as proxy and it worked, here is the modification I made on Nginx :

under ssl server block > location block (both websocket and root location) :


proxy_ssl_certificate /etc/pki/tls/certs/mattermost.cert;
proxy_ssl_certificate_key /etc/pki/tls/private/mattermost.key;
proxy_ssl_session_reuse on;
proxy_pass https://backend;

Mattermost webserver config :

SiteUrl set to https:// instead of http://
Enable TLS
Enable insecure connection (as I use self signed certificate)

Gitlab :

Set callback URL with https

I saw on another post that both Gitlab and Mattermost had to use TLS but I thought that having Nginx with TLS was enough.

Problem solved :slight_smile:

Best regards,

Frédérick

4

nginx with TLS should work just fine, but it’s important that the SiteUrl always says https, even though the Mattermost application server is not running with https. So if you’d lke to try that again, it would be interesting to see if that really helped, if not, I’m fine too and will mark this topic as resolved :slight_smile:

5

Oh right, I just test it and it works too, so we can make it work with TLS termination on Nginx side or with TLS all the way, good to know.

Thank you for your help !

Best regards,

Frédérick

6

Awesome, just as I expected - thanks for confirming my assumption :slight_smile:

7

Hello,

I have encountered the exact same problem, but what’s peculiar is that when I set the SiteURL to use “http” (without “s”), everything works perfectly fine. However, if I configure it to use “https,” it breaks, and I receive this error. Apart from this issue, everything else appears to be functioning normally, and I’m quite fond of the software. Do you have any ideas about what might be causing this?

By the way, I also have an Nginx reverse proxy in front of the Mattermost server, which is running on a Kubernetes cluster using the Helm chart (Teams edition).

Greetings from Germany!