Gitlab/Mattermost login error - Bad response from token request

Summary

Mattermost shows error “Bad response from token request” while thying to authenticate through Gitlab

Steps to reproduce

Install gitlab 11.8.0-rc8 from source on one server, install latest Mattermost on another. Configure them accordind to the guides, try to login with Gitlab

Expected behavior

Succesfull authentication in mattermost with Gitlab user account.

Observed behavior

We have Gitlab 11.8.0-rc8 installed from source on one server, and stand-alone Mattermost 5.9.0 on another. Both are configured according to the Mattermost documentation. But when i press “Sign in with Gitlab” button i at first i’m redirected to Gitlab, grant authorization there, and after that i see an error screen "Bad response from token request."

Gitlab logs:

production.log

Started GET "/oauth/authorize?response_type=code&client_id=1de458ac4703d588f50f86dc2fbe2193a97cd12468dcc402a825b6ba8b057cb0&redirect_uri=<MATTERMOST URL>%2Fsignup%2Fgitlab%2Fcomplete&state=eyJhY3Rpb24iOiJsb2dpbiIsInRva2VuIjoic3FjZGQ1Ymc0cHJ1ZHpjN3Nrb2pnaXp5c2NqZmFpbWJmZnByZDExaHBvNDFob3h1ZXczZHN4cHR5cHdwcG0zciJ9" for 127.0.0.1 at 2019-03-27 20:19:46 +0300
Processing by Oauth::AuthorizationsController#new as HTML
  Parameters: {"response_type"=>"code", "client_id"=>"1de458ac4703d588f50f86dc2fbe2193a97cd12468dcc402a825b6ba8b057cb0", "redirect_uri"=>"<MATTERMOST URL>/signup/gitlab/complete", "state"=>"eyJhY3Rpb24iOiJsb2dpbiIsInRva2VuIjoic3FjZGQ1Ymc0cHJ1ZHpjN3Nrb2pnaXp5c2NqZmFpbWJmZnByZDExaHBvNDFob3h1ZXczZHN4cHR5cHdwcG0zciJ9"}
Completed 200 OK in 27ms (Views: 19.2ms | ActiveRecord: 1.9ms)
Started GET "/oauth/undefined" for 127.0.0.1 at 2019-03-27 20:19:47 +0300
Processing by ApplicationController#route_not_found as */*
  Parameters: {"unmatched_route"=>"oauth/undefined"}
Completed 404 Not Found in 11ms (Views: 1.4ms | ActiveRecord: 1.2ms)

Started POST "/oauth/authorize" for 127.0.0.1 at 2019-03-27 20:19:48 +0300
Processing by Oauth::AuthorizationsController#create as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "client_id"=>"1de458ac4703d588f50f86dc2fbe2193a97cd12468dcc402a825b6ba8b057cb0", "redirect_uri"=>"<MATTERMOST URL>//signup/gitlab/complete", "state"=>"eyJhY3Rpb24iOiJsb2dpbiIsInRva2VuIjoic3FjZGQ1Ymc0cHJ1ZHpjN3Nrb2pnaXp5c2NqZmFpbWJmZnByZDExaHBvNDFob3h1ZXczZHN4cHR5cHdwcG0zciJ9", "response_type"=>"code", "scope"=>"api", "nonce"=>""}
Redirected to <MATTERMOST URL>//signup/gitlab/complete?code=9934b277d8481b166c3320b359f7cbfc95ab97cd857b248781bc96a4b905406c&state=eyJhY3Rpb24iOiJsb2dpbiIsInRva2VuIjoic3FjZGQ1Ymc0cHJ1ZHpjN3Nrb2pnaXp5c2NqZmFpbWJmZnByZDExaHBvNDFob3h1ZXczZHN4cHR5cHdwcG0zciJ9
Completed 302 Found in 9ms (ActiveRecord: 1.6ms)
Started POST "/oauth/token" for 127.0.0.1 at 2019-03-27 20:19:48 +0300
Processing by Doorkeeper::TokensController#create as JSON
  Parameters: {"client_id"=>"1de458ac4703d588f50f86dc2fbe2193a97cd12468dcc402a825b6ba8b057cb0", "client_secret"=>"[FILTERED]", "code"=>"[FILTERED]", "grant_type"=>"authorization_code", "redirect_uri"=>"https://backend/signup/gitlab/complete"}
Completed 401 Unauthorized in 2ms

production_json.log

{
  "method": "GET",
  "path": "/oauth/authorize",
  "format": "html",
  "controller": "Oauth::AuthorizationsController",
  "action": "new",
  "status": 200,
  "duration": 30.04,
  "view": 22.19,
  "db": 1.93,
  "time": "2019-03-28T08:53:28.170Z",
  "params": [
    {
      "key": "response_type",
      "value": "code"
    },
    {
      "key": "client_id",
      "value": "1de458ac4703d588f50f86dc2fbe2193a97cd12468dcc402a825b6ba8b057cb0"
    },
    {
      "key": "redirect_uri",
      "value": "<MATTERMOST URL>//signup/gitlab/complete"
    },
    {
      "key": "state",
      "value": "eyJhY3Rpb24iOiJsb2dpbiIsInRva2VuIjoiYXc1ZThlZDYzZTMxNzFuZzdkdTZyNGFwamc3Y294NGpnZnR0c3NteXp5cnFhZXhiOHB6OXFpbzlodGVpa3lyNCJ9"
    }
  ],
  "remote_ip": null,
  "user_id": null,
  "username": null,
  "ua": null,
  "correlation_id": "AcjHeW1h94"
}
{
  "method": "GET",
  "path": "/oauth/undefined",
  "format": "*/*",
  "controller": "ApplicationController",
  "action": "route_not_found",
  "status": 404,
  "duration": 11.11,
  "view": 1.11,
  "db": 2.04,
  "time": "2019-03-28T08:53:28.582Z",
  "params": [
    {
      "key": "unmatched_route",
      "value": "oauth/undefined"
    }
  ],
  "remote_ip": "10.10.1.56",
  "user_id": 84,
  "username": "XXXXX",
  "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0",
  "correlation_id": "A2JdMpVsB13"
}
{
  "method": "POST",
  "path": "/oauth/authorize",
  "format": "html",
  "controller": "Oauth::AuthorizationsController",
  "action": "create",
  "status": 302,
  "duration": 10.07,
  "view": 0,
  "db": 2.07,
  "location": "<MATTERMOST URL>//signup/gitlab/complete",
  "time": "2019-03-28T08:53:29.386Z",
  "params": [
    {
      "key": "utf8",
      "value": "✓"
    },
    {
      "key": "authenticity_token",
      "value": "[FILTERED]"
    },
    {
      "key": "client_id",
      "value": "1de458ac4703d588f50f86dc2fbe2193a97cd12468dcc402a825b6ba8b057cb0"
    },
    {
      "key": "redirect_uri",
      "value": "<MATTERMOST URL>/signup/gitlab/complete"
    },
    {
      "key": "state",
      "value": "eyJhY3Rpb24iOiJsb2dpbiIsInRva2VuIjoiYXc1ZThlZDYzZTMxNzFuZzdkdTZyNGFwamc3Y294NGpnZnR0c3NteXp5cnFhZXhiOHB6OXFpbzlodGVpa3lyNCJ9"
    },
    {
      "key": "response_type",
      "value": "code"
    },
    {
      "key": "scope",
      "value": "api"
    },
    {
      "key": "nonce",
      "value": ""
    }
  ],
  "remote_ip": null,
  "user_id": null,
  "username": null,
  "ua": null,
  "correlation_id": "r2jixRPrzJ3"
}
{
  "method": "POST",
  "path": "/oauth/token",
  "format": "json",
  "controller": "Doorkeeper::TokensController",
  "action": "create",
  "status": 401,
  "duration": 3.4,
  "view": 0,
  "time": "2019-03-28T08:53:29.431Z",
  "params": [
    {
      "key": "client_id",
      "value": "1de458ac4703d588f50f86dc2fbe2193a97cd12468dcc402a825b6ba8b057cb0"
    },
    {
      "key": "client_secret",
      "value": "[FILTERED]"
    },
    {
      "key": "code",
      "value": "[FILTERED]"
    },
    {
      "key": "grant_type",
      "value": "authorization_code"
    },
    {
      "key": "redirect_uri",
      "value": "https://backend/signup/gitlab/complete"
    }
  ],
  "remote_ip": null,
  "user_id": null,
  "username": null,
  "ua": null,
  "correlation_id": "1qErLiNqBZ6"
}

Hi netgineer,

In this forum post they suggested this fix:

I also experienced this problem when switching my HTTP Gitlab instance over to HTTPS. I had to update my /etc/gitlab.gitlab-secrets.json to use HTTPS for the *_endpoint parameters. I don’t think Mattermost will follow the 302 on the token request if you’re redirecting HTTP to HTTPS. (and rightfully so)

Did you try that?

I am getting this error now. How did u solve it ?

Hi neme,

di you try the fix out of the linked forum post and are your protocols matching? Mattermost and Gitlab should both either run on https or http, you should not mix the schemes.