<SOLVED> New install of Gitea/Drone - unable to auth into Gitea

Installing Gitea and Drone as docker containers on a test system. This playbook has been working, but something new has happened … From the Drone Welcome screen any attempt at auth into Gitea results in an invalid_request coming back.

Gitea is set up with a default admin user droneadmin, the oauth2 application is created and the client_id and client_secret are stored in an .env file for docker to read as it all starts up (via systemd). The ExecStart looks like this

ExecStart=/usr/bin/docker run --rm --name drone \
    -e TZ=America/New_York \
    --env-file "/stuff/gitea/drone/drone.env" \
    --env-file "/stuff/gitea/gitea/admin.tokens" \
    -p 3001:80 \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /stuff/gitea/drone:/data \

and the drone.env and admin_tokens looks like this



# These two for drone-runner and drone-runner--exec

# Can also specify token by adding ",token:<32-char-token>"



With DRONE_LOGS_DEBUG enabled, a sample docker logs drone --follow results in this

  "level": "error",
  "msg": "oauth: authorization error: invalid_request",
  "time": "2022-11-22T18:05:33-05:00"
  "level": "debug",
  "msg": "cannot authenticate user: invalid_request",
  "time": "2022-11-22T18:05:33-05:00"
  "fields.time": "2022-11-22T18:05:33-05:00",
  "latency": 181364,
  "level": "debug",
  "method": "GET",
  "msg": "",
  "remote": "",
  "request": "/login?error=invalid_request\u0026error_description=PKCE+is+required+for+public+clients\u0026state=4d65822107fcfd52",
  "request-id": "2HvGqOVecPyuBmZTzbhuVFTY1LX",
  "time": "2022-11-22T18:05:33-05:00"
  "fields.time": "2022-11-22T18:05:33-05:00",
  "latency": 42226,
  "level": "debug",
  "method": "GET",
  "msg": "",
  "remote": "",
  "request": "/login/error?message=invalid_request",
  "request-id": "2HvGqQ8HgZC65e6l96pVLMr6NBs",
  "time": "2022-11-22T18:05:33-05:00"
  "level": "debug",
  "msg": "api: authentication required",
  "request-id": "2HvGqQe4HR9Fs3YYIxqVWMpFExR",
  "time": "2022-11-22T18:05:33-05:00"
  "level": "debug",
  "msg": "api: guest access",
  "request-id": "2HvGqQe4HR9Fs3YYIxqVWMpFExR",
  "time": "2022-11-22T18:05:33-05:00"

The associated Gitea logs are

2022/11/22 18:05:26 [637d55b6] router: completed GET /login/oauth/authorize?client_id=17408453-6795-4410-89d3-84584fcfea16&redirect_uri=http%3A%2F%2Fxeon.local%3A3001%2Flogin&response_type=code&state=4d65822107fcfd52 for, 303 See Other in 0.2ms @ context/auth.go:28(context.Toggle)
2022/11/22 18:05:26 [637d55b6-2] router: completed GET /user/login for, 200 OK in 3.0ms @ auth/auth.go:152(auth.SignIn)
2022/11/22 18:05:33 [637d55bd] router: completed POST /user/login for, 303 See Other in 35.8ms @ auth/auth.go:177(auth.SignInPost)
2022/11/22 18:05:33 [637d55bd-2] router: completed GET /login/oauth/authorize?client_id=17408453-6795-4410-89d3-84584fcfea16&redirect_uri=http%3A%2F%2Fxeon.local%3A3001%2Flogin&response_type=code&state=4d65822107fcfd52 for, 303 See Other in 2.0ms @ auth/oauth.go:361(auth.AuthorizeOAuth)


The Drone error msg "request": "/login?error=invalid_request\u0026error_description=PKCE+is+required+for+public+clients\u0026state=4d65822107fcfd52", is interesting …

This happens for all variations in a clean system, starting from the Drone Welcome screen - all immediately back to the invalid_request

  • Only droneadmin user exists in Gitea and Drone, click Continue on Welcome screen, log into Gitea as droneadmin
  • New user registered in Gitea (not Drone), log out of Gitea, click Continue on Welcome screen, log into Gitea as that new user
  • New user registered in Gitea (not Drone), stay logged in, click Continue on Welcome screen
  • New user upgraded to Admin in Gitea
  • New user created in Drone via drone user add --admin newuser to match user in Gitea

Just regenerated the Oauth2 DRONE_GITEA_CLIENT_SECRET in Gitea for the newuser, updated the value in the drone.env, restart the Drone container.

Same problem happening

Possibly more information ? On a bare fresh install of gitea/drone, using the drone cmdline to get info drone info shows a couple of duplicate proto lines

half@xeon:/stuff/gitea$ cat /stuff/gitea/drone/drone_cmdline.env

# Used for drone cmdline access
export DRONE_TOKEN=17Ac4fb4Bcb4a58ccf8aE6e27C1bB65C
export DRONE_SERVER=http://xeon.local:3001

# Usage:
# source /stuff/gitea/drone/drone_cmdline.env
# drone info
half@xeon:/stuff/gitea$ source /stuff/gitea/drone/drone_cmdline.env
half@xeon:/stuff/gitea$ drone info
2022/11/23 09:53:18 proto: duplicate proto type registered: PluginSpec
2022/11/23 09:53:18 proto: duplicate proto type registered: PluginPrivilege
User: droneadmin

Also, when I compare the fresh install on xeon.local to a currently working install on another system (identical setup) I notice these differences in the /stuff/gitea/gitea/conf/app.ini file

  • [security] section is missing the SECRET_KEY and INTERNAL_TOKEN items
  • [oauth2 section is missing the JWT_SECRET item

How are those generated ?


The problem was that the oauth2 application being generated in Gitea (via api) was not marked as a confidential one. Simply had to add

"confidential_client": true

To the body json in the api call

1 Like

Hey @Halfwalker, that’s amazing glad you were able to solve the issue and thanks for sharing the update.Do let us know if there are any other issue you are facing or have any query about the product! Thanks