Log in with GitLab fails - Fail to callback authentication with 'gitlab'

Matt_Byrne · November 5, 2024, 10:12am

Sonar Version: 10.6.0
Deployed with : Helm

Our Sonarqube instance is configured to have authentication via GitLab as specified here

Since the 4th November we’ve seen failures in the logs when trying to log in with GitLab.

2024.11.05 09:39:02 WARN  web[aa668e81-7137-4466-abce-5dc1ee0be593][o.s.s.a.AuthenticationError] Fail to callback authentication with 'gitlab'
java.lang.IllegalStateException: Fail to execute request 'https://gitlab.com/api/v4/groups?min_access_level=10&per_page=100'. HTTP code: 500, response: {"message":"500 Internal Server Error"}
	at org.sonar.auth.OAuthRestClient.unexpectedResponseCode(OAuthRestClient.java:103)
	at org.sonar.auth.OAuthRestClient.executeRequest(OAuthRestClient.java:54)
	at org.sonar.auth.OAuthRestClient.readPage(OAuthRestClient.java:77)
	at org.sonar.auth.OAuthRestClient.executePaginatedRequest(OAuthRestClient.java:67)
	at org.sonar.auth.gitlab.GitLabRestClient.getGroups(GitLabRestClient.java:47)
	at org.sonar.auth.gitlab.GitLabIdentityProvider.getGroups(GitLabIdentityProvider.java:155)
	at org.sonar.auth.gitlab.GitLabIdentityProvider.onCallback(GitLabIdentityProvider.java:129)
	at org.sonar.auth.gitlab.GitLabIdentityProvider.callback(GitLabIdentityProvider.java:107)
	at org.sonar.server.authentication.OAuth2CallbackFilter.handleOAuth2Provider(OAuth2CallbackFilter.java:87)
	at org.sonar.server.authentication.OAuth2CallbackFilter.handleProvider(OAuth2CallbackFilter.java:70)
	at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2CallbackFilter.java:63)
	at org.sonar.server.platform.web.MasterServletFilter$JavaxFilterAdapter.doFilter(MasterServletFilter.java:227)
	at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:198)
	at org.sonar.server.platform.web.MasterServletFilter$HttpFilterChainAdapter.doFilter(MasterServletFilter.java:241)
	at org.sonar.server.authentication.DefaultAdminCredentialsVerifierFilter.doFilter(DefaultAdminCredentialsVerifierFilter.java:83)
	at org.sonar.server.platform.web.MasterServletFilter$JavaxFilterAdapter.doFilter(MasterServletFilter.java:227)
	at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:198)
	at org.sonar.server.platform.web.MasterServletFilter.doFilter(MasterServletFilter.java:146)
	at jdk.internal.reflect.GeneratedMethodAccessor27.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:177)
	at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:138)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:137)
	at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:83)
	at org.sonar.server.platform.web.UserSessionFilter.doFilter(UserSessionFilter.java:70)
	at jdk.internal.reflect.GeneratedMethodAccessor27.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:177)
	at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:138)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:137)
	at org.sonar.server.platform.web.CrossOriginFilter.doFilter(CrossOriginFilter.java:51)
	at jdk.internal.reflect.GeneratedMethodAccessor27.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:177)
	at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:138)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:137)
	at org.sonar.server.platform.web.CspFilter.doFilter(CspFilter.java:64)
	at jdk.internal.reflect.GeneratedMethodAccessor27.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:177)
	at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:138)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:137)
	at org.sonar.server.platform.web.CacheControlFilter.doFilter(CacheControlFilter.java:76)
	at jdk.internal.reflect.GeneratedMethodAccessor27.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:177)
	at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:138)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:137)
	at org.sonar.server.platform.web.SecurityServletFilter.doHttpFilter(SecurityServletFilter.java:60)
	at org.sonar.server.platform.web.SecurityServletFilter.doFilter(SecurityServletFilter.java:47)
	at jdk.internal.reflect.GeneratedMethodAccessor27.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:177)
	at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:138)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:137)
	at org.sonar.server.platform.web.RedirectFilter.doFilter(RedirectFilter.java:56)
	at jdk.internal.reflect.GeneratedMethodAccessor27.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:177)
	at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:138)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:137)
	at org.sonar.server.platform.web.EndpointPathFilter.doFilter(EndpointPathFilter.java:47)
	at jdk.internal.reflect.GeneratedMethodAccessor27.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:177)
	at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:138)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:137)
	at org.sonar.server.platform.web.RequestIdFilter.doFilter(RequestIdFilter.java:66)
	at jdk.internal.reflect.GeneratedMethodAccessor27.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:177)
	at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:138)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:137)
	at org.sonar.server.platform.web.RootFilter.doFilter(RootFilter.java:65)
	at jdk.internal.reflect.GeneratedMethodAccessor27.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:177)
	at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:138)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:137)
	at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:115)
	at jdk.internal.reflect.GeneratedMethodAccessor27.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:222)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at java.base/javax.security.auth.Subject.doAsPrivileged(Unknown Source)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:250)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:177)
	at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:138)
	at java.base/java.security.AccessController.doPrivileged(Unknown Source)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:137)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
	at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:267)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1786)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
	at java.base/java.lang.Thread.run(Unknown Source)

Is anyone else seeing this?

https://gitlab.com/api/v4/groups?min_access_level=10&per_page=100 returns 500 internal server errors when queried (when authenticated). Not sure why sonar is trying to return all gitlab groups on auth?? Should this be limited to the group id of your gitlab org?

Cheers

tillwiese_lw · November 5, 2024, 2:15pm

So we’re not the only ones. I’ve been trying to fix that without success. Neither recreating the OAuth app on Gitlab side nor reconfiguring the Gitlab auth on SQ side had any effect.

ganncamp · November 5, 2024, 5:38pm

Hi,

This is a 500 error coming from GitLab. Did you check your GitLab logs? Or are you using GitLab.com? Have you checked with them?

Ann

ganncamp · November 5, 2024, 5:39pm

Hi again,

We just checked the GitLab status page. They’re reporting an active incident.

HTH,
Ann

Matt_Byrne · November 7, 2024, 9:20pm

This was a gitlab issue after a postgres upgrade. They’ve fixed it now.