Github OAUTH2 authentication error, no error message


#1

Hello,

I’m having trouble with single-machine drone setup. After I set up everything, I go to ‘http://<my_drone_address>’, get redirected to Github, where I authorize drone application and then I end up in ‘http://<my_drone_address>/login/error?message=’ URL, with “Login Failed.” on the screen.

My configuration:

docker-compose.yml

    version: '2'
    services:
      drone:
        image: drone/drone:1.0.0-rc.5
        ports:
          - "8881:80"
        networks:
          - drone
        volumes:
          - ./drone-data:/var/lib/drone/
          - /var/run/docker.sock:/var/run/docker.sock
        environment:
          DRONE_GITHUB_SERVER: https://github.com/
          DRONE_GITHUB_CLIENT_ID: <github_app_client_id>
          DRONE_GITHUB_CLIENT_SECRET: <github_app_client_secret>
          DRONE_RUNNER_CAPACITY: 2
          DRONE_SERVER_HOST: <my_drone_address>
          DRONE_SERVER_PROTO: http
          DRONE_LOGS_DEBUG: "true"
          DRONE_GIT_ALWAYS_AUTH: "false"
    networks:
      drone:
        driver: bridge

Drone OAUTH2 Github application points to http://<my_drone_address> and http://<my_drone_address>/login. I have also tried to delete and create application again.

Docker-compose logs (there is no valuable information, except maybe "cannot find remote user: ", which I have no idea what is it, since I cannot find that message in repository):

    Creating network "drone_drone" with driver "bridge"
    Creating drone_drone_1 ... done
    Attaching to drone_drone_1
    drone_1  | {"kind":"trial","level":"debug","msg":"main: license loaded","time":"2019-02-14T22:18:13Z"}
    drone_1  | {"level":"info","msg":"main: starting the local build runner","threads":2,"time":"2019-02-14T22:18:13Z"}
    drone_1  | {"interval":1800000000000,"level":"info","msg":"main: cron schedule enabled","time":"2019-02-14T22:18:13Z"}
    drone_1  | {"acme":false,"host":"178.43.102.36","level":"info","msg":"main: starting the http server","port":":80","proto":"http","time":"2019-02-14T22:18:13Z","url":"http://178.43.102.36"}
    drone_1  | {"arch":"amd64","level":"debug","machine":"2eb833d3ae78","msg":"runner: polling queue","os":"linux","time":"2019-02-14T22:18:13Z"}
    drone_1  | {"arch":"amd64","kernel":"","level":"debug","msg":"manager: request queue item","os":"linux","time":"2019-02-14T22:18:13Z","variant":""}
    drone_1  | {"arch":"amd64","level":"debug","machine":"2eb833d3ae78","msg":"runner: polling queue","os":"linux","time":"2019-02-14T22:18:13Z"}
    drone_1  | {"arch":"amd64","kernel":"","level":"debug","msg":"manager: request queue item","os":"linux","time":"2019-02-14T22:18:13Z","variant":""}
    drone_1  | {"fields.time":"2019-02-14T22:18:23Z","latency":12190,"level":"debug","method":"GET","msg":"","remote":"178.43.102.36:46610","request":"/","request-id":"1HBk6Sq7Tq8XclrJRSgkKEz32lW","time":"2019-02-14T22:18:23Z"}
    drone_1  | {"fields.time":"2019-02-14T22:18:23Z","latency":257681,"level":"debug","method":"GET","msg":"","remote":"178.43.102.36:46610","request":"/css/app.39ba2f4d.css","request-id":"1HBk6VomSbJ9DMBQrLd1U1OJqJ8","time":"2019-02-14T22:18:23Z"}
    drone_1  | {"fields.time":"2019-02-14T22:18:23Z","latency":1021432,"level":"debug","method":"GET","msg":"","remote":"178.43.102.36:46612","request":"/js/app.48b68369.js","request-id":"1HBk6UGSl3VjzWfMxMgWY4EGu1A","time":"2019-02-14T22:18:23Z"}
    drone_1  | {"fields.time":"2019-02-14T22:18:23Z","latency":2644980,"level":"debug","method":"GET","msg":"","remote":"178.43.102.36:46614","request":"/js/chunk-vendors.acff1940.js","request-id":"1HBk6XTxAUJZgW1JH5gpI1jOdGV","time":"2019-02-14T22:18:23Z"}
    drone_1  | {"level":"debug","msg":"api: authentication required","request-id":"1HBk6Tlh4dR74MWh9tiUaJd2jDj","time":"2019-02-14T22:18:23Z"}
    drone_1  | {"level":"debug","msg":"api: guest access","request-id":"1HBk6Tlh4dR74MWh9tiUaJd2jDj","time":"2019-02-14T22:18:23Z"}
    drone_1  | {"fields.time":"2019-02-14T22:18:23Z","latency":132086,"level":"debug","method":"GET","msg":"","remote":"178.43.102.36:46614","request":"/api/user","request-id":"1HBk6Tlh4dR74MWh9tiUaJd2jDj","time":"2019-02-14T22:18:23Z"}
    drone_1  | {"level":"debug","msg":"events: stream opened","request-id":"1HBk6Z0gFbT06F2uxrZP5lHW0zZ","time":"2019-02-14T22:18:24Z"}
    drone_1  | {"fields.time":"2019-02-14T22:18:24Z","latency":64343,"level":"debug","method":"GET","msg":"","remote":"178.43.102.36:46612","request":"/favicon.png","request-id":"1HBk6bryukex3U3l2MEhnlCDZag","time":"2019-02-14T22:18:24Z"}
    drone_1  | {"fields.time":"2019-02-14T22:18:24Z","latency":66783,"level":"debug","method":"GET","msg":"","remote":"178.43.102.36:46612","request":"/login","request-id":"1HBk6g0Tg5xdUAwz9ZOp6BCB3oz","time":"2019-02-14T22:18:24Z"}
    drone_1  | {"level":"debug","msg":"events: stream cancelled","request-id":"1HBk6Z0gFbT06F2uxrZP5lHW0zZ","time":"2019-02-14T22:18:24Z"}
    drone_1  | {"level":"debug","msg":"events: stream closed","request-id":"1HBk6Z0gFbT06F2uxrZP5lHW0zZ","time":"2019-02-14T22:18:24Z"}
    drone_1  | {"level":"debug","msg":"api: guest access","request-id":"1HBk6Z0gFbT06F2uxrZP5lHW0zZ","time":"2019-02-14T22:18:24Z"}
    drone_1  | {"fields.time":"2019-02-14T22:18:24Z","latency":497173822,"level":"debug","method":"GET","msg":"","remote":"178.43.102.36:46614","request":"/api/stream","request-id":"1HBk6Z0gFbT06F2uxrZP5lHW0zZ","time":"2019-02-14T22:18:24Z"}
    drone_1  | {"level":"debug","msg":"cannot find remote user: ","time":"2019-02-14T22:18:32Z"}
    drone_1  | {"fields.time":"2019-02-14T22:18:32Z","latency":5607075366,"level":"debug","method":"GET","msg":"","remote":"178.43.102.36:46612","request":"/login?code=5154c649ddc19a1f64ff\u0026state=4d65822107fcfd52","request-id":"1HBk6y23t3iXA3Q0sRTt9zZxhps","time":"2019-02-14T22:18:32Z"}
    drone_1  | {"fields.time":"2019-02-14T22:18:32Z","latency":16551,"level":"debug","method":"GET","msg":"","remote":"178.43.102.36:46612","request":"/login/error?message=","request-id":"1HBk7fV4wQxQLf4ifmNqYvz0r6K","time":"2019-02-14T22:18:32Z"}
    drone_1  | {"level":"debug","msg":"api: authentication required","request-id":"1HBk7ZpSfXKxexF7xKP4swFoo29","time":"2019-02-14T22:18:32Z"}
    drone_1  | {"level":"debug","msg":"api: guest access","request-id":"1HBk7ZpSfXKxexF7xKP4swFoo29","time":"2019-02-14T22:18:32Z"}
    drone_1  | {"fields.time":"2019-02-14T22:18:32Z","latency":73903,"level":"debug","method":"GET","msg":"","remote":"178.43.102.36:46612","request":"/api/user","request-id":"1HBk7ZpSfXKxexF7xKP4swFoo29","time":"2019-02-14T22:18:32Z"}
    drone_1  | {"level":"debug","msg":"events: stream opened","request-id":"1HBk7nAhUTDazsSNWcyzcwYhUFO","time":"2019-02-14T22:18:33Z"}

I’ve spent 2 days on this issue, tried different configuration but still no luck. Any help will be appreciated. Thanks.


#2

I would need to see the value of <my_drone_address> and I would need to know the full callback url that you have entered into GitHub.


#3

my_drone_address is 178.43.102.36:8881
full callback url is http://178.43.102.36:8881/login
DRONE_SERVER_HOST is 178.43.102.36 (made mistake when I obfuscated the IP)

The issue seems partially solved because it works just fine when I run Drone with docker command:

docker run \
  --volume=/var/run/docker.sock:/var/run/docker.sock \
  --volume=/var/lib/drone:/data \
  --env=DRONE_GITHUB_SERVER=https://github.com \
  --env=DRONE_GITHUB_CLIENT_ID=<client_id> \
  --env=DRONE_GITHUB_CLIENT_SECRET=<client_secret> \
  --env=DRONE_RUNNER_CAPACITY=2 \
  --env=DRONE_SERVER_HOST=178.43.102.36 \
  --env=DRONE_SERVER_PROTO=http \
  --publish=8881:80 \
  --name=drone \
  drone/drone:1.0.0-rc.5

However, it does not work with docker-compose, when same configuration is applied.


#4

one thing that jumps out is that you should include the port in DRONE_SERVER_HOST:

-DRONE_SERVER_HOST=178.43.102.36
+DRONE_SERVER_HOST=178.43.102.36:8881

I’m not sure if this impacts authorization. Also keep an eye on the browser redirect url coming from github, which might include some addition error details.


#5

Hi.
is there any update on this? I have same problem and considered adding port too. but didn’t help.

could it be a http issue being considered insecure? @bradrydzewski


#6

From the logs I have

{
  "acme": true,
  "host": "[my-server]:80",
  "level": "info",
  "msg": "main: starting the http server",
  "port": ":443",
  "proto": "https",
  "time": "2019-02-27T22:32:57Z",
  "url": "https://[my-server]:80"
}

even though I pass

        - name: DRONE_SERVER_PROTO
          value: http

so looks like it doesn’t care about that DRONE_SERVER_PROTO

@bradrydzewski


#7

so looks like it doesn’t care about that DRONE_SERVER_PROTO

It would appear you have DRONE_TLS_AUTOCERT=true enabled in which case this is the expected behavior. When you enable this variable you are enabling Lets Encrypt which enforces https, and therefore ignores DRONE_SERVER_PROTO


#8

thanks @bradrydzewski
I removed DRONE_TLS_AUTOCERT=true but still have login issue.

I see github is called and then github redirects to drone with something like this:

http://[my-sevice]/login?code=[code]&state=[state] 

but after that I am being redirected to

http://[my-server]/login/error?message=:

#9

are you a former colleague of davidbyttow? I believe we worked through this same issue and found that it had something to do with a security proxy that was in place.

this was a snippet from our conversation:

Go-login worked, I was able to get the access token when I added the authorization header to bypass our security proxy.

I believe he had to manually patch the source code, but I’m not sure.


#10

yes. :slight_smile:
thans; will check further.


#11

@mamanagha did you ever get it figured out? David and I had pretty extensive communications in private messages, so I can try to look back through the chat history to understand the changes he might have made.


#12

yes we had internal documentation and the images that needed to be used.

on a separate note how do you compare drone with kNative-build?

thanks @bradrydzewski


#13

my limited understanding of knative build is that it is a low-level primitive used to build and publish images. You could integrate knative-build into an existing CI system. Or you could build a new CI system on top of knative-build. You would need to create the user interface, webhook handlers, cloning logic, permissions, etc. From their docs:

[1] Knative build does not provide a complete standalone CI/CD solution, it does however, provide a lower-level building block that was purposefully designed to enable integration and utilization in larger systems.

Drone does not use knative-build directly because we already have our own pipeline runner. In addition we need to support more general purpose use cases such as packages and libraries (ex. build and publish to npm), android apps, ios apps, etc.


#14

@ mamanagha it would be great to sync at some point to understand the changes David made so we can merge upstream. You are probably already stuck with an outdated release candidate with no path to take advantage of fixes and features :frowning: … I would be happy to help!