gitea: Drone auth not working with internal users

Gitea version (or commit ref): 1.8.1
Git version: N/A
Operating system: Linux
Database (use [x]):
- PostgreSQL
- MySQL
- MSSQL
- SQLite
Can you reproduce the bug at https://try.gitea.io:
- Yes (provide example URL)
- No
- Not relevant
Log gist:

Description

Drone no longer works with Gitea as of 1.8.1. Logging into drone is successful in so much as I see it creates an access token in Gitea even after I delete it. After drone logs in and creates the token, it then hits /api/v1/user. Gitea responds with 401 Unauthorized.

I switched back to 1.8.0 as a workaround for now. Sorry I do not have more details. The logs were not very detailed. I suspect some of the auth bug fixes in 1.8.1 could have caused this. Can anyone else confirm drone no longer working with Gitea?

Screenshots

About this issue

Original URL
State: closed
Created 5 years ago
Reactions: 9
Comments: 27 (12 by maintainers)

Most upvoted comments

It worked earlier for me but I have just had a recurrence. I had to go into Gitea -> Settings -> Applications and delete the ‘drone’ token, after which Drone could then reconnect (recreating the token). I’m not yet sure what the cause is.

Update: And it just happened again after logging out of Drone - deleting the token then fixed it, so something is not right somewhere. The token-create API call does return a different sha1 each time, suggesting that it is recreating the token as it should be.

jonny5532 on May 11, 2019

Running both gitea and drone on latest docker images (managed by containrrr/watchtower - which is the newly maintained v2tec/watchtower).

You need to register drone application in gitea. settings -> applications -> Manage OAuth2 applications

The Redirect URI must be identical to that used from drone. Mine is https://<url-to-drone>:<port-of-drone>/login

Bildschirmfoto 2019-05-14 um 09 16 15

You need to set the env parameters in the docker container DRONE_GITEA_CLIENT_ID and DRONE_GITEA_CLIENT_SECRET - both generated in step 1./2. after saving.
What I need to adjust was DRONE_SERVER_HOST which seems to have the port also - otherwise the redirect uri is not constructed proper.

Bildschirmfoto 2019-05-14 um 09 17 04

That’s it…

kimpenhaus on May 14, 2019

@lunny don’t you think it would be more beneficial to put it into the drone docs as that’s the system that wants to authenticate? I could check if they would accept a pull request on their docs for an addition in oauth2 with gitea.

kimpenhaus on May 19, 2019

Can confirm having the same problem with gitea version 1.9.0+dev-223-g6db3dc7c0 and and latest drone. Was working fine until gitea update.

kimpenhaus on May 9, 2019

@kimpenhaus that’s better.

lunny on May 19, 2019

Let me add some additional information here. Looks like I have the same issue with the following setup:

Docker compose:

version: "3"
services:
  nginx:
    image: nginx:latest
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./data/nginx/config:/etc/nginx/conf.d

  gitea:
    image: gitea/gitea:latest
    restart: always
    volumes:
      - ./data/gitea:/data/gitea
    ports:
      - 3000:3000
      - 22:22

  drone:
    image: drone/drone:latest
    environment:
      - DRONE_GITEA_SERVER=https://git.<server>
      - DRONE_RUNNER_CAPACITY=2
      - DRONE_SERVER_HOST=drone.<server>
      - DRONE_SERVER_PROTO=https
      - DRONE_GIT_ALWAYS_AUTH=false
      - DRONE_RPC_SECRET=<secret>
    ports:
      - 81:80
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data/drone:/data

nginx configuration:

server {
    listen 443 ssl;
    server_name git.<server>;
    ssl_certificate ####
    ssl_certificate_key ####
    location / {
        proxy_pass http://gitea:3000;
        proxy_set_header Host $host;
    }
}
server {
    listen 443 ssl;
    server_name drone.<server>;
    ssl_certificate ####
    ssl_certificate_key ####
    location / {
        proxy_pass http://drone:81;
        proxy_set_header Host $host;
    }
}

After loggin in on drone.<server> i get the message “Login Failed. Unauthorized”.

docker compose log:

gitea_1  | [Macaron] 2019-05-10 19:48:13: Started GET /api/v1/users/<user>/tokens for 172.26.0.2
gitea_1  | [Macaron] 2019-05-10 19:48:13: Completed GET /api/v1/users/<user>/tokens 200 OK in 39.309966ms
nginx_1  | 11.111.111.11 - <user> [10/May/2019:19:48:13 +0000] "GET /api/v1/users/<user>/tokens HTTP/1.1" 200 35 "-" "Go-http-client/1.1" "-"
gitea_1  | [Macaron] 2019-05-10 19:48:13: Started GET /api/v1/user for 172.26.0.2
gitea_1  | [Macaron] 2019-05-10 19:48:13: Completed GET /api/v1/user 401 Unauthorized in 318.568µs
nginx_1  | 11.111.111.11 - - [10/May/2019:19:48:13 +0000] "GET /api/v1/user HTTP/1.1" 401 0 "-" "Go-http-client/1.1" "-"
nginx_1  | 11.111.111.11 - - [10/May/2019:19:48:13 +0000] "POST /login HTTP/1.1" 303 0 "https://drone.<server>/login/form" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36" "-"
nginx_1  | 11.111.111.11 - - [10/May/2019:19:48:13 +0000] "GET /login/error?message=Unauthorized HTTP/1.1" 200 786 "https://drone.<server>/login/form" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36" "-"
nginx_1  | 11.111.111.11 - - [10/May/2019:19:48:13 +0000] "GET /api/user HTTP/1.1" 401 27 "https://drone.<server>/login/error?message=Unauthorized" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36" "-"
nginx_1  | 11.111.111.11 - - [10/May/2019:19:48:15 +0000] "GET /serviceworker.js HTTP/1.1" 200 786 "https://drone.<server>/serviceworker.js" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36" "-"

Sy0xFF on May 10, 2019