GitLab Authentication with Group synchronization fails when User is member of many groups

Previ · April 9, 2024, 10:44am

Community EditionVersion 10.3 (build 82913)
Deployed via official Helm chart
GitLab Auth integration with group sync
Authentication fails when an User is member of a large number of GitLab groups (>1000)

Logs, SonarQube:

|2024-04-09 12:26:33.909|2024.04.09 10:26:33 INFO ce[][o.s.c.t.CeWorkerImpl] Execute task | project=powerbid-wa-gasnomination | type=REPORT | id=AY7CZSW3oYr_xqDE_E1y | submitter=admin||
| --- | --- | --- | --- | --- | --- | --- |
|||2024-04-09 12:26:13.350|at java.base/java.lang.Thread.run(Unknown Source)||
|||2024-04-09 12:26:13.350|at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)||
|||2024-04-09 12:26:13.350|at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)||
|||2024-04-09 12:26:13.350|at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)||
|||2024-04-09 12:26:13.350|at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)||
|||2024-04-09 12:26:13.350|at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794)||
|||2024-04-09 12:26:13.350|at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)||
|||2024-04-09 12:26:13.350|at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)||
|||2024-04-09 12:26:13.350|at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)||
|||2024-04-09 12:26:13.350|at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:267)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)||
|||2024-04-09 12:26:13.350|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:176)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)||
|||2024-04-09 12:26:13.350|at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.350|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)||
|||2024-04-09 12:26:13.350|at java.base/java.lang.reflect.Method.invoke(Unknown Source)||
|||2024-04-09 12:26:13.350|at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)||
|||2024-04-09 12:26:13.350|at jdk.internal.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:115)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)||
|||2024-04-09 12:26:13.350|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:176)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)||
|||2024-04-09 12:26:13.350|at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.350|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)||
|||2024-04-09 12:26:13.350|at java.base/java.lang.reflect.Method.invoke(Unknown Source)||
|||2024-04-09 12:26:13.350|at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)||
|||2024-04-09 12:26:13.350|at jdk.internal.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)||
|||2024-04-09 12:26:13.350|at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:65)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)||
|||2024-04-09 12:26:13.350|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:176)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)||
|||2024-04-09 12:26:13.350|at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.350|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)||
|||2024-04-09 12:26:13.350|at java.base/java.lang.reflect.Method.invoke(Unknown Source)||
|||2024-04-09 12:26:13.350|at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)||
|||2024-04-09 12:26:13.350|at jdk.internal.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)||
|||2024-04-09 12:26:13.350|at org.sonar.server.platform.web.RequestIdFilter.doFilter(RequestIdFilter.java:66)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)||
|||2024-04-09 12:26:13.350|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:176)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)||
|||2024-04-09 12:26:13.350|at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.350|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)||
|||2024-04-09 12:26:13.350|at java.base/java.lang.reflect.Method.invoke(Unknown Source)||
|||2024-04-09 12:26:13.350|at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)||
|||2024-04-09 12:26:13.350|at jdk.internal.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)||
|||2024-04-09 12:26:13.350|at org.sonar.server.platform.web.RedirectFilter.doFilter(RedirectFilter.java:56)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)||
|||2024-04-09 12:26:13.350|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:176)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)||
|||2024-04-09 12:26:13.350|at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.350|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.350|at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)||
|||2024-04-09 12:26:13.349|at java.base/java.lang.reflect.Method.invoke(Unknown Source)||
|||2024-04-09 12:26:13.349|at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)||
|||2024-04-09 12:26:13.349|at jdk.internal.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)||
|||2024-04-09 12:26:13.349|at org.sonar.server.platform.web.SecurityServletFilter.doFilter(SecurityServletFilter.java:47)||
|||2024-04-09 12:26:13.349|at org.sonar.server.platform.web.SecurityServletFilter.doHttpFilter(SecurityServletFilter.java:60)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)||
|||2024-04-09 12:26:13.349|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:176)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)||
|||2024-04-09 12:26:13.349|at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.349|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)||
|||2024-04-09 12:26:13.349|at java.base/java.lang.reflect.Method.invoke(Unknown Source)||
|||2024-04-09 12:26:13.349|at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)||
|||2024-04-09 12:26:13.349|at jdk.internal.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)||
|||2024-04-09 12:26:13.349|at org.sonar.server.platform.web.CacheControlFilter.doFilter(CacheControlFilter.java:76)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)||
|||2024-04-09 12:26:13.349|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:176)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)||
|||2024-04-09 12:26:13.349|at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.349|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)||
|||2024-04-09 12:26:13.349|at java.base/java.lang.reflect.Method.invoke(Unknown Source)||
|||2024-04-09 12:26:13.349|at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)||
|||2024-04-09 12:26:13.349|at jdk.internal.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)||
|||2024-04-09 12:26:13.349|at org.sonar.server.platform.web.CspFilter.doFilter(CspFilter.java:63)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)||
|||2024-04-09 12:26:13.349|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:176)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)||
|||2024-04-09 12:26:13.349|at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.349|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)||
|||2024-04-09 12:26:13.349|at java.base/java.lang.reflect.Method.invoke(Unknown Source)||
|||2024-04-09 12:26:13.349|at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)||
|||2024-04-09 12:26:13.349|at jdk.internal.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)||
|||2024-04-09 12:26:13.349|at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:70)||
|||2024-04-09 12:26:13.349|at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:83)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)||
|||2024-04-09 12:26:13.349|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:137)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:176)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)||
|||2024-04-09 12:26:13.349|at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.349|at java.base/java.security.AccessController.doPrivileged(Unknown Source)||
|||2024-04-09 12:26:13.349|at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)||
|||2024-04-09 12:26:13.349|at java.base/java.lang.reflect.Method.invoke(Unknown Source)||
|||2024-04-09 12:26:13.349|at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)||
|||2024-04-09 12:26:13.349|at jdk.internal.reflect.GeneratedMethodAccessor66.invoke(Unknown Source)||
|||2024-04-09 12:26:13.349|at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:146)||
|||2024-04-09 12:26:13.349|at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:198)||
|||2024-04-09 12:26:13.349|at org.sonar.server.platform.web.MasterServletFilter$JavaxFilterAdapter.doFilter(MasterServletFilter.java:227)||
|||2024-04-09 12:26:13.349|at org.sonar.server.authentication.DefaultAdminCredentialsVerifierFilter.doFilter(DefaultAdminCredentialsVerifierFilter.java:83)||
|||2024-04-09 12:26:13.349|at org.sonar.server.platform.web.MasterServletFilter$HttpFilterChainAdapter.doFilter(MasterServletFilter.java:241)||
|||2024-04-09 12:26:13.349|at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:198)||
|||2024-04-09 12:26:13.349|at org.sonar.server.platform.web.MasterServletFilter$JavaxFilterAdapter.doFilter(MasterServletFilter.java:227)||
|||2024-04-09 12:26:13.349|at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2CallbackFilter.java:63)||
|||2024-04-09 12:26:13.349|at org.sonar.server.authentication.OAuth2CallbackFilter.handleProvider(OAuth2CallbackFilter.java:70)||
|||2024-04-09 12:26:13.349|at org.sonar.server.authentication.OAuth2CallbackFilter.handleOAuth2Provider(OAuth2CallbackFilter.java:87)||
|||2024-04-09 12:26:13.349|at org.sonar.auth.gitlab.GitLabIdentityProvider.callback(GitLabIdentityProvider.java:102)||
|||2024-04-09 12:26:13.349|at org.sonar.auth.gitlab.GitLabIdentityProvider.onCallback(GitLabIdentityProvider.java:115)||
|||2024-04-09 12:26:13.349|at com.github.scribejava.core.oauth.OAuth20Service.getAccessToken(OAuth20Service.java:232)||
|||2024-04-09 12:26:13.349|at com.github.scribejava.core.oauth.OAuth20Service.getAccessToken(OAuth20Service.java:237)||
|||2024-04-09 12:26:13.349|at com.github.scribejava.core.oauth.OAuth20Service.sendAccessTokenRequestSync(OAuth20Service.java:157)||
|||2024-04-09 12:26:13.349|at com.github.scribejava.core.extractors.OAuth2AccessTokenJsonExtractor.extract(OAuth2AccessTokenJsonExtractor.java:17)||
|||2024-04-09 12:26:13.349|at com.github.scribejava.core.extractors.OAuth2AccessTokenJsonExtractor.extract(OAuth2AccessTokenJsonExtractor.java:37)||
|||2024-04-09 12:26:13.349|at com.github.scribejava.core.extractors.OAuth2AccessTokenJsonExtractor.generateError(OAuth2AccessTokenJsonExtractor.java:77)||
|||2024-04-09 12:26:13.349|com.github.scribejava.core.model.OAuth2AccessTokenErrorResponse: {"error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}||
|||2024-04-09 12:26:13.349|2024.04.09 10:26:13 WARN web[AY5VqyU/edQg0neiBKcU][o.s.s.a.AuthenticationError] Fail to callback authentication with 'gitlab'|

nolwenn.cadic · April 25, 2024, 1:28pm

Hi Roberto,

Thanks a lot for your report. Could you please elaborate on the statement

Authentication fails when an User is member of a large number of GitLab groups (>1000)

How did you conclude that authentication is failing because of the large number of groups?

Regards,
Nolwenn

Previ · May 8, 2024, 5:23pm

The problem was related to a network configuration, specifically, sonarqube was deployed behind a reverse proxy which had a connection read timeout too short. Incrementing the timeout to 10’ solved the issue.