Login Failed. unauthorized_client: client is not authorized

Hi there,

I’m now having issues trying to get my Drone installation to use Oauth2 using the latest gitea docker image, and using drone version drone/drone:1.3.1. I’ve created the application and callback in gitea, and created new variables in the docker image for client_id & client_secret.

When logging into drone for the first time, I’m sent to my gitea installation to accept the connection and once I’ve enabled it, I’m redirected to drone with the message of unauthorized_client.

I’ve checked forums repeatedly but not managed to get anything that works yet, Any help would be appreciated

I’m currently experiencing the same issue. I’ll update here if I find a solution.

I put Drone into debug mode and got these logs:

time="2019-09-18T01:50:30Z" level=debug msg="events: stream opened" request-id=1QzRRb9why2mWZxys44pdMZk7JT
time="2019-09-18T01:50:30Z" level=debug msg="events: stream error" request-id=1QzRRb9why2mWZxys44pdMZk7JT
time="2019-09-18T01:50:30Z" level=debug msg="events: stream closed" request-id=1QzRRb9why2mWZxys44pdMZk7JT
time="2019-09-18T01:50:30Z" level=debug msg="api: guest access" request-id=1QzRRb9why2mWZxys44pdMZk7JT
time="2019-09-18T01:50:30Z" level=debug fields.time="2019-09-18T01:50:30Z" latency=273.24277ms method=GET remote="<<ip>>:<<port>>" request=/api/stream request-id=1QzRRb9why2mWZxys44pdMZk7JT
time="2019-09-18T01:50:34Z" level=error msg="oauth: cannot exchange code: XP53O3IH4378GtaP_r5-ngzPYj3HcFTQdxbqwkoJGQ0=: unauthorized_client: client is not authorized"
time="2019-09-18T01:50:34Z" level=debug msg="cannot authenticate user: unauthorized_client: client is not authorized"

All of these keys and IDs and whatnot won’t be relevant by the time this is posted so I don’t view them as a security risk. That key it can’t exchange isn’t anything I’ve specified, so I’m guessing it’s something else generated during the oAuth sequence. I know Gitea has recently changed how it does some oAuth stuff. Wondering if this is a straight-up bug in Drone.

Have you looked at your Gitea logs to get more information?

Gitea oauth2 was contributed by a Gitea maintainer and was confirmed working back in May. There have been no changes to auth since.

cc @techknowlogick

Nothing useful in my Gitea logs, but I did manage to verify that the error code is coming from Gitea:

Continuing to investigate.

Success! It turned out that my client secret had an equals sign at the end, and the parser I was using to read it in was stripping that last equals. When the secret was passed back to Gitea, it didn’t match and I got the unauthorized_client error.

@bajmhunter Check your DRONE_GITEA_CLIENT_ID and DRONE_GITEA_CLIENT_SECRET values being passed to the Drone Docker instance. Ensure that they exactly match what’s in your Gitea control panel for the Drone application.

1 Like