Drone doesn't implment Gitlab OAuth2 token refresh and causes 404 and code change webhook fails

Tried latest drone 2.12.1 and its fixed oauth2 token refresh issue.
but got new issue when doing multi pipeline with clone step on every pipeline.

is your issue related to multi pipeline?
becase when its multi pipeline with only one clone step it work.

in my case, its not make the job failure. in drone ui, it will stuck with forever loading on next pipeline.

log from drone:

WARN[7691] manager: cannot generate netrc.  error="The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."

Everytime a pipeline starts, the go-scm does a force refresh of the OAuth token which cause the existing token expried immedentily even the expired one was refresh half a second ago (multi pipeline). The token will then be distributed to agent for code cloning and will not be updated any more.

Please use the Personal Access token for code clone.

@phiexz Please check my lastest reply for the issue of multiple pipeline stucking.

Thanks @gluxhappy , using DRONE_GIT_USERNAME fix multiple pipeline issue :+1:

Thanks @gluxhappy

Yeah, you are right . I faced the same issue with @phiexz

However, I’ve used the drone_git_username and drone_git_password, I can’t enable a new drone repo anymore.

How could we solve this issue?

Thanks.

You need to ensure the drone_git_username and associated personal access token you provided has the permission for code cloning.
Without setting drone_git_username, the drone uses the OAuth token for code cloning. Once you provided this setting, although the drone still using the OAuth token for API interaction(i.e. list projets), the code cloning utilizes the drone_git_username and the token only.

The problems folks are facing is due to a problem with the GitLab refresh token implementation. They actually tried to make the same change back in 2015 and it caused the same issues, and they ended up rolling it back. See my comment in this thread that describes why this is problematic:
https://github.com/harness/drone/issues/855

This GitLab change has impacted many products, including Hashicorp products, meaning this problem is not isolated to Drone. There is already a P1 issue in the GitLab issue tracker that was created a few weeks back. We recommend folks (politely) vote for this issue to be resolved:

2 Likes