Post "/login/oauth/access_token": stopped after 10 redirects

hb0730 · November 23, 2021, 12:33am

Drone + gitea logs in oauth2. After logging in successfully on the first day, such a problem occurs on the second day. Why is there no prefix of gitea server

drone log:

drone-runner    | time="2021-11-23T08:26:18+08:00" level=info msg="starting the server" addr=":3000"
drone-runner    | time="2021-11-23T08:26:18+08:00" level=info msg="successfully pinged the remote server"
drone-runner    | time="2021-11-23T08:26:18+08:00" level=info msg="polling the remote server" arch=amd64 capacity=2 endpoint="http://drone-server" kind=pipeline os=linux type=docker
drone-server    | {"build.limit":0,"expires":"0001-01-01T00:00:00Z","kind":"trial","level":"debug","msg":"main: license loaded","repo.limit":0,"time":"2021-11-23T08:26:17+08:00","user.limit":0}
drone-server    | {"admin":true,"level":"debug","login":"gitea_hohofast","machine":false,"msg":"bootstrap: create account","time":"2021-11-23T08:26:17+08:00","token":""}
drone-server    | {"admin":true,"level":"debug","login":"gitea_hohofast","machine":false,"msg":"bootstrap: updating account","time":"2021-11-23T08:26:17+08:00","token":""}
drone-server    | {"admin":true,"level":"debug","login":"gitea_hohofast","machine":false,"msg":"bootstrap: account already up-to-date","time":"2021-11-23T08:26:17+08:00","token":""}
drone-server    | {"acme":false,"host":"drone.hohofast.frp.t31.top","level":"info","msg":"starting the http server","port":":80","proto":"http","time":"2021-11-23T08:26:17+08:00","url":"http://drone.hohofast.frp.t31.top"}
drone-server    | {"interval":"30m0s","level":"info","msg":"starting the cron scheduler","time":"2021-11-23T08:26:17+08:00"}
drone-server    | {"interval":"24h0m0s","level":"info","msg":"starting the zombie build reaper","time":"2021-11-23T08:26:17+08:00"}
drone-server    | {"arch":"amd64","kernel":"","kind":"pipeline","level":"debug","msg":"manager: request queue item","os":"linux","time":"2021-11-23T08:26:18+08:00","type":"docker","variant":""}
drone-server    | {"arch":"amd64","kernel":"","kind":"pipeline","level":"debug","msg":"manager: request queue item","os":"linux","time":"2021-11-23T08:26:18+08:00","type":"docker","variant":""}
drone-server    | {"fields.time":"2021-11-23T08:26:41+08:00","latency":25310,"level":"debug","method":"GET","msg":"","remote":"172.18.0.4:35778","request":"/","request-id":"21ISeEoGfDWp0skLSxNYCXxsCts","time":"2021-11-23T08:26:41+08:00"}
drone-server    | {"fields.time":"2021-11-23T08:26:41+08:00","latency":32395,"level":"debug","method":"GET","msg":"","remote":"172.18.0.4:35780","request":"/welcome","request-id":"21ISeCsOOEJovlU4XKWJbAoCUkj","time":"2021-11-23T08:26:41+08:00"}
drone-server    | {"level":"debug","msg":"api: authentication required","request-id":"21ISeJ3ryUdjhtnAIsNmaeZ8JPq","time":"2021-11-23T08:26:41+08:00"}
drone-server    | {"level":"debug","msg":"api: guest access","request-id":"21ISeJ3ryUdjhtnAIsNmaeZ8JPq","time":"2021-11-23T08:26:41+08:00"}
drone-server    | {"fields.time":"2021-11-23T08:26:41+08:00","latency":175155,"level":"debug","method":"GET","msg":"","remote":"172.18.0.4:35784","request":"/api/user","request-id":"21ISeJ3ryUdjhtnAIsNmaeZ8JPq","time":"2021-11-23T08:26:41+08:00"}
drone-server    | {"level":"debug","msg":"events: stream opened","request-id":"21ISeD9FYvS06ewGvWE2U3nkV4E","time":"2021-11-23T08:26:41+08:00"}
drone-server    | {"fields.time":"2021-11-23T08:26:41+08:00","latency":32665,"level":"debug","method":"GET","msg":"","remote":"172.18.0.4:35790","request":"/D4BA146C9DCC15D1.png","request-id":"21ISeFq17fH7EYhs9Jx9LP0MMaN","time":"2021-11-23T08:26:41+08:00"}
drone-server    | {"fields.time":"2021-11-23T08:26:48+08:00","latency":40883,"level":"debug","method":"GET","msg":"","remote":"172.18.0.4:35794","request":"/login","request-id":"21ISf4fCvW0Hsc8NIqAOHCsWHfL","time":"2021-11-23T08:26:48+08:00"}
drone-server    | {"arch":"amd64","kernel":"","kind":"pipeline","level":"debug","msg":"manager: context canceled","os":"linux","time":"2021-11-23T08:26:48+08:00","type":"docker","variant":""}
drone-server    | {"arch":"amd64","kernel":"","kind":"pipeline","level":"debug","msg":"manager: context canceled","os":"linux","time":"2021-11-23T08:26:48+08:00","type":"docker","variant":""}
drone-server    | {"level":"error","msg":"oauth: cannot exchange code: ljZZwnBzQHZzQtVWqRxXVXV9pCd6QKDBnji0ByERLXWE: Post \"/login/oauth/access_token\": stopped after 10 redirects","time":"2021-11-23T08:26:50+08:00"}
drone-server    | {"level":"debug","msg":"cannot authenticate user: Post \"/login/oauth/access_token\": stopped after 10 redirects","time":"2021-11-23T08:26:50+08:00"}
drone-server    | {"fields.time":"2021-11-23T08:26:50+08:00","latency":1616942575,"level":"debug","method":"GET","msg":"","remote":"172.18.0.4:35798","request":"/login?code=ljZZwnBzQHZzQtVWqRxXVXV9pCd6QKDBnji0ByERLXWE\u0026state=4d65822107fcfd52","request-id":"21ISf4b4Gjt88i5H0Xdie9ZgBDb","time":"2021-11-23T08:26:50+08:00"}
drone-server    | {"fields.time":"2021-11-23T08:26:50+08:00","latency":40456,"level":"debug","method":"GET","msg":"","remote":"172.18.0.4:35820","request":"/login/error?message=Post%20%22/login/oauth/access_token%22:%20stopped%20after%2010%20redirects","request-id":"21ISfNKxSJtDiHvVX7DbkDKRL2p","time":"2021-11-23T08:26:50+08:00"}
drone-server    | {"level":"debug","msg":"api: authentication required","request-id":"21ISfLAYq9YVXfms42WiG6Et5vT","time":"2021-11-23T08:26:50+08:00"}
drone-server    | {"level":"debug","msg":"api: guest access","request-id":"21ISfLAYq9YVXfms42WiG6Et5vT","time":"2021-11-23T08:26:50+08:00"}
drone-server    | {"fields.time":"2021-11-23T08:26:50+08:00","latency":85564,"level":"debug","method":"GET","msg":"","remote":"172.18.0.4:35824","request":"/api/user","request-id":"21ISfLAYq9YVXfms42WiG6Et5vT","time":"2021-11-23T08:26:50+08:00"}
drone-server    | {"level":"debug","msg":"events: stream opened","request-id":"21ISfLicZ4k7HxJHgkRG8Pq0pQR","time":"2021-11-23T08:26:50+08:00"}
drone-server    | {"fields.time":"2021-11-23T08:26:50+08:00","latency":46386,"level":"debug","method":"GET","msg":"","remote":"172.18.0.4:35830","request":"/login/D4BA146C9DCC15D1.png","request-id":"21ISfR6lRN4H6rxwbV6ODCK74kh","time":"2021-11-23T08:26:50+08:00"}

gitea server log:

gitea           | 2021/11/23 08:26:48 Started GET /login/oauth/authorize?client_id=58542dc0-8799-4fed-b0e6-d56337ec891b&redirect_uri=http%3A%2F%2Fdrone.hohofast.frp.t31.top%2Flogin&response_type=code&state=4d65822107fcfd52 for 172.18.0.3:0
gitea           | 2021/11/23 08:26:48 ...s/context/context.go:751:1() [D] Session ID: 9c3e18b01d62a1bd
gitea           | 2021/11/23 08:26:48 ...s/context/context.go:752:1() [D] CSRF Token: 3x5m6ViJeFFk0zz_WY8IqmvYZJ46MTYzNzYyNzA2NTg4MDQ3MTY5NQ
gitea           | 2021/11/23 08:26:48 Completed GET /login/oauth/authorize?client_id=58542dc0-8799-4fed-b0e6-d56337ec891b&redirect_uri=http%3A%2F%2Fdrone.hohofast.frp.t31.top%2Flogin&response_type=code&state=4d65822107fcfd52 302 Found in 14.489969ms

drone configuration:

version: "3.1"
services:
  drone-server:
    image: drone/drone:2
    container_name: drone-server
    environment:
      - DRONE_SERVER_PROTO=http
      - DRONE_SERVER_HOST=drone.hohofast.frp.t31.top
      - DRONE_RPC_SECRET=4535fbf83943931a9c844f5e211ab0f2
      - DRONE_GITEA_SERVER=http://gitea.hohofast.frp.t31.top
      - DRONE_GITEA_SKIP_VERIFY=true
      - DRONE_GITEA_CLIENT_SECRET=HmjmNqHqJguEiXbOOIjs1UPMRXKqHwsgVCmDqlqFVLPI
      - DRONE_GITEA_CLIENT_ID=58542dc0-8799-4fed-b0e6-d56337ec891b
      - DRONE_COOKIE_SECRET=correct-horse-battery-staple
      # user
      - DRONE_USER_CREATE=username:gitea_hohofast,admin:true
      # LOG
      - DRONE_LOGS_DEBUG=true
      # git 
      - DRONE_GIT_ALWAYS_AUTH=true
      - DRONE_GIT_USERNAME=x-oauth-token
      - DRONE_GIT_PASSWORD=de3302d4eaa34285a74cb8e13743d951762bfde8
    volumes:
      - ./data:/data
      - ./config:/root/config
      - /usr/share/zoneinfo:/usr/share/zoneinfo:ro
      - /etc/localtime:/etc/localtime:ro
    networks:
      - docker-net
  drone-runner:
    image: drone/drone-runner-docker:1
    container_name: drone-runner
    environment:
      - DRONE_RPC_HOST=drone-server
      - DRONE_RPC_PROTO=http
      - DRONE_RPC_SECRET=4535fbf83943931a9c844f5e211ab0f2
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /usr/share/zoneinfo:/usr/share/zoneinfo:ro
      - /etc/localtime:/etc/localtime:ro
    networks:
      - docker-net
networks:
  docker-net:
    external: true

bradrydzewski · November 23, 2021, 1:27am

I can see Drone is attempting to make a POST request

cannot authenticate user: Post \"/login/oauth/access_token\"

But your Gitea server shows a GET request along with a 302 redirect

gitea           | 2021/11/23 08:26:48 Completed GET /login/oauth/authorize?client_id=58542dc0-8799-4fed-b0e6-d56337ec891b&redirect_uri=http%3A%2F%2Fdrone.hohofast.frp.t31.top%2Flogin&response_type=code&state=4d65822107fcfd52 302 Found in 14.489969ms

The most common root cause for this behavior is when you have a reverse proxy or some other auto-redirect which converts your post request to a get request. This can be solved by ensuring your stack is configured to use correct urls that do not result in redirect.

bradrydzewski · November 23, 2021, 1:32am

Here is a thread where someone encountered a similar issue:

hb0730 · November 23, 2021, 1:32am

@bradrydzewski
cannot authenticate user: Post \"/login/oauth/access_token\" Why not here http://gitea.hohofast.frp.t31.top Prefix, it’s amazing, Because it has been successful before, it is url : http://gitea.hohofast.frp.t31.top/login/oauth/access_ token

hb0730 · November 23, 2021, 1:34am

@bradrydzewski I can’t turn it into HTTPS

hb0730 · November 23, 2021, 4:16am

gitea           | 2021/11/23 12:12:43 Started GET /login/oauth/authorize?client_id=4c5528fc-e39b-48e7-953d-1a680f073859&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin&response_type=code&state=9408d2ac22c4d294 for 172.18.0.3:0
gitea           | 2021/11/23 12:12:43 ...s/context/context.go:751:1() [D] Session ID: bf7fc339ae0feb2d
gitea           | 2021/11/23 12:12:43 ...s/context/context.go:752:1() [D] CSRF Token: VBh_FPMHN4MFHex-MAW29WkqpM46MTYzNzYzODEwOTc5MTIxMzk5OA
gitea           | 2021/11/23 12:12:43 ...s/context/context.go:185:HTML() [D] Template: user/auth/grant
gitea           | 2021/11/23 12:12:43 Completed GET /login/oauth/authorize?client_id=4c5528fc-e39b-48e7-953d-1a680f073859&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin&response_type=code&state=9408d2ac22c4d294 200 OK in 4.271368ms
gitea           | 2021/11/23 12:12:46 Started POST /login/oauth/grant for 172.18.0.3:0
gitea           | 2021/11/23 12:12:46 ...s/context/context.go:751:1() [D] Session ID: bf7fc339ae0feb2d
gitea           | 2021/11/23 12:12:46 ...s/context/context.go:752:1() [D] CSRF Token: VBh_FPMHN4MFHex-MAW29WkqpM46MTYzNzYzODEwOTc5MTIxMzk5OA
gitea           | 2021/11/23 12:12:46 Completed POST /login/oauth/grant 302 Found in 40.25953ms
gitea           | 2021/11/23 12:12:51 Started POST /login/oauth/access_token for 172.18.0.3:0
gitea           | 2021/11/23 12:12:51 ...s/context/context.go:751:1() [D] Session ID: 56ebb7dadb90934c
gitea           | 2021/11/23 12:12:51 ...s/context/context.go:752:1() [D] CSRF Token: QNlHYyFwCHU8PkpNC9XyhTuQvUc6MTYzNzY0MDc3MTQyMTIyMDA3NA
gitea           | 2021/11/23 12:12:51 Completed POST /login/oauth/access_token 200 OK in 85.024645ms
gitea           | 2021/11/23 12:12:51 Started GET /login/oauth/authorize?client_id=4c5528fc-e39b-48e7-953d-1a680f073859&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin&response_type=code&state=c697f48392907a0 for 172.18.0.3:0
gitea           | 2021/11/23 12:12:51 Completed GET /login/oauth/authorize?client_id=4c5528fc-e39b-48e7-953d-1a680f073859&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin&response_type=code&state=c697f48392907a0 302 Found in 358.385µs
gitea           | 2021/11/23 12:12:51 ...s/context/context.go:751:1() [D] Session ID: 76ed4a5945f6add8
gitea           | 2021/11/23 12:12:51 ...s/context/context.go:752:1() [D] CSRF Token: XY6jKgDRmEOMFt54kaqeaLGlXyk6MTYzNzY0MDc3MTg4ODU5OTA2NA
gitea           | 2021/11/23 12:12:52 Started GET /user/login for 172.18.0.3:0
gitea           | 2021/11/23 12:12:52 ...s/context/context.go:751:1() [D] Session ID: 0d9e7dd9096e8b05
gitea           | 2021/11/23 12:12:52 ...s/context/context.go:752:1() [D] CSRF Token: ve0yXR2eovWAa8b9Q6_JQHmUE9w6MTYzNzY0MDc3MjAxODA1MjM4OA
gitea           | 2021/11/23 12:12:52 ...s/context/context.go:185:HTML() [D] Template: user/auth/signin
gitea           | 2021/11/23 12:12:52 Completed GET /user/login 200 OK in 4.891399ms

This is my debugging using go-login. It is found that it is successful. I don’t know the reason for the drone docker configuration, which caused the post request to fail to reach gitea server. Debugging parameters

-provider=gitea
-provider-url=http://gitea.hohofast.frp.t31.top
-client-id=4c5528fc-e39b-48e7-953d-1a680f073859
-client-secret=K8njRWgAv4U4XkdKcNTYwf4yCPNBZptnNP8UjgX8o1oJ
-dump=true

hb0730 · November 25, 2021, 12:33am

Finally, HTTPS is adopted