Drone doesn't implment Gitlab OAuth2 token refresh and causes 404 and code change webhook fails

We are also having this issue. We need to always relogin with the gitlab drone application user.

I finally found a solution for it.
Since I am fresh to GO and I just made some changes to make gitlab work without testing on others, I didn’t create a PR for the project.
A pre-build image with the fix can be found at gluxhappy/drone-server-gitlab. If you have any (security) concerns, you can build your own from scripts at gluxhappy/drone-gitlab .

That is not enough, some changes in the go-scm module also need to be made (see my reply below).

Could you please explain those changes? Do they fix the error message I mentioned and if so, how?

As you can see from the Github repo I mentioned in the previews reply, beside the same change in the PR for the drone main repo, some additional changes are also need in the go-scm repo which is a sub-module of the main drone-server project. The changes in that repo is to add client_id and client_secret parameters when requesting a token refresh. This is documented in the Gitlab documentation but seems not the standard way of the OAuth2. That’s why I didn’t create a PR for the go-scm repo since this change could break the refresh of tho platforms.

GITLAB_OAuth_Flow
RFC_6749_TOKEN_REFRESH

1 Like

Attention

Please use DRONE_GIT_USERNAME and DRONE_GIT_PASSWORD to avoid a token refresh issue casued by Force Token Refresh.

The DRONE_GIT_USERNAME should be a user’s name and DRONE_GIT_PASSWORD should be an Personal Access Token with long expiration time. The access token should has been grant at least read access to all repositories you want to build via the Drone.

1 Like

Same here.

I use gitlab 15.0 and drone 2.12.0.

I followed the doc from official drone website. GitLab | Drone

I think it’s a little weird if we use the personal account as the env for DRONE_GIT_USERNAME and DRONE_GIT_PASSWORD.

Thanks for @gluxhappy

I tried the method you provide at #11. It doesn’t work for me. I really don’t know why.

but I downgrade from 15.0 to 14.10.3 successfully.

It came back normal now for me.

Hope this issue will be fixed in the future.

Thanks

We have rebuilt Drone with the go-scm change you proposed. Sadly, it doesn’t seem to change anything, some builds still randomly fail with the fatal: could not read Username for 'https://gitlab.com': terminal prompts disabled error.

We face the same issue.
Has any solution with this?

as a hacky fix if you have people login in a lot it should work of longer as the tokens get renewed when you login

it seems work!! thanks!!https://github.com/gluxhappy/drone-gitlab

Looks like the latest release fixed the issue.

I’m not sure that it does. As I have mentioned, we have tried the change in that PR and it seems to fix authentication timeout in Drone web UI and webhooks not arriving, but we still kept getting intermittent build failures with another error.

What did fully fix it is using DRONE_GIT_USERNAME and DRONE_GIT_PASSWORD with a personal token as suggested in this thread. (The additional change to go-scm, however, didn’t help, we tried it too.) Still, it’s better than nothing. Perhaps now that the PR is merged, more people will get the same clone step error we did, report it, and prompt another fix :slight_smile:

I confirmed with the latest drone 2.12.1 fixed the issue.

Gitlab 15.0.2

I didn’t use extra settings for my drone and keep the original settings.

Tried latest drone 2.12.1 and its fixed oauth2 token refresh issue.
but got new issue when doing multi pipeline with clone step on every pipeline.

is your issue related to multi pipeline?
becase when its multi pipeline with only one clone step it work.

in my case, its not make the job failure. in drone ui, it will stuck with forever loading on next pipeline.

log from drone:

WARN[7691] manager: cannot generate netrc.  error="The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."

Everytime a pipeline starts, the go-scm does a force refresh of the OAuth token which cause the existing token expried immedentily even the expired one was refresh half a second ago (multi pipeline). The token will then be distributed to agent for code cloning and will not be updated any more.

Please use the Personal Access token for code clone.

@phiexz Please check my lastest reply for the issue of multiple pipeline stucking.

Thanks @gluxhappy , using DRONE_GIT_USERNAME fix multiple pipeline issue :+1:

Thanks @gluxhappy

Yeah, you are right . I faced the same issue with @phiexz

However, I’ve used the drone_git_username and drone_git_password, I can’t enable a new drone repo anymore.

How could we solve this issue?

Thanks.