Drone doesn't implment Gitlab OAuth2 token refresh and causes 404 and code change webhook fails

No OAuth2 token refresher for Gitlab tokens.

Missing gitlab:
No token refresher support for the Gitlab https://github.com/harness/drone/blob/724bd35cfc1b3f957be99f6e390c7da1f4b7833f/cmd/drone-server/inject_login.go#L182

And here,
The gitea has a token refresher,
see: cmd/drone-server/inject_client.go#L153,
But none for the gitlab,
See: cmd/drone-server/inject_client.go#L183.

Also, for your reference, the gitlab OAuth2 token now has a default 2 hours expiration policy.
Gitlab OAuth Ref, https:docs.gitlab.com/ee/api/oauth2.html

Since I am more working in the Java ecosystem and not so familar with Go code, I am not going to create a PR for this issue. (It may takes me days to get started. :slight_smile: )

Finally, it’s sad to restrict new users to add only two links in posts which cause the post a little bit weird.


We face the same issue. I don’t know the internals of Gitlab (cloud) but I guess they changed the duration over the last weekend down to 2h. It does not make drone useless, but pretty annoying.

I wonder if there are any settings on the Gitlab side we could tweak as I expected to see a lot more people complaining / mentioning this issue.
It would be interesting to know if there already is a plan to fix it?


Same, we are affected by it as well since this week and it does make Drone unusable since without manually logging in on the account whose API credentials Drone uses every once in a while, builds simply don’t trigger.

We face same issue since last week. Can’t see pipeline detail after few hours and need to re-login. Also, from Gitlab webhook dashboard we found timeout response sometimes.

There is now a PR that claims to fix this issue by simply copying the Gitea refresher. As we are already building Drone from source for other reasons, we have tried it and it seems to work. We are still getting an occasional build failure with fatal: could not read Username for 'https://gitlab.com': terminal prompts disabled during clone stage - not sure yet if this error related, though, but at least no more 404!

We are also having this issue. We need to always relogin with the gitlab drone application user.

I finally found a solution for it.
Since I am fresh to GO and I just made some changes to make gitlab work without testing on others, I didn’t create a PR for the project.
A pre-build image with the fix can be found at gluxhappy/drone-server-gitlab. If you have any (security) concerns, you can build your own from scripts at gluxhappy/drone-gitlab .

That is not enough, some changes in the go-scm module also need to be made (see my reply below).

Could you please explain those changes? Do they fix the error message I mentioned and if so, how?

As you can see from the Github repo I mentioned in the previews reply, beside the same change in the PR for the drone main repo, some additional changes are also need in the go-scm repo which is a sub-module of the main drone-server project. The changes in that repo is to add client_id and client_secret parameters when requesting a token refresh. This is documented in the Gitlab documentation but seems not the standard way of the OAuth2. That’s why I didn’t create a PR for the go-scm repo since this change could break the refresh of tho platforms.


1 Like


Please use DRONE_GIT_USERNAME and DRONE_GIT_PASSWORD to avoid a token refresh issue casued by Force Token Refresh.

The DRONE_GIT_USERNAME should be a user’s name and DRONE_GIT_PASSWORD should be an Personal Access Token with long expiration time. The access token should has been grant at least read access to all repositories you want to build via the Drone.

1 Like

Same here.

I use gitlab 15.0 and drone 2.12.0.

I followed the doc from official drone website. GitLab | Drone

I think it’s a little weird if we use the personal account as the env for DRONE_GIT_USERNAME and DRONE_GIT_PASSWORD.

Thanks for @gluxhappy

I tried the method you provide at #11. It doesn’t work for me. I really don’t know why.

but I downgrade from 15.0 to 14.10.3 successfully.

It came back normal now for me.

Hope this issue will be fixed in the future.


We have rebuilt Drone with the go-scm change you proposed. Sadly, it doesn’t seem to change anything, some builds still randomly fail with the fatal: could not read Username for 'https://gitlab.com': terminal prompts disabled error.

We face the same issue.
Has any solution with this?

as a hacky fix if you have people login in a lot it should work of longer as the tokens get renewed when you login

it seems work!! thanks!!https://github.com/gluxhappy/drone-gitlab

Looks like the latest release fixed the issue.

I’m not sure that it does. As I have mentioned, we have tried the change in that PR and it seems to fix authentication timeout in Drone web UI and webhooks not arriving, but we still kept getting intermittent build failures with another error.

What did fully fix it is using DRONE_GIT_USERNAME and DRONE_GIT_PASSWORD with a personal token as suggested in this thread. (The additional change to go-scm, however, didn’t help, we tried it too.) Still, it’s better than nothing. Perhaps now that the PR is merged, more people will get the same clone step error we did, report it, and prompt another fix :slight_smile:

I confirmed with the latest drone 2.12.1 fixed the issue.

Gitlab 15.0.2

I didn’t use extra settings for my drone and keep the original settings.