[Gitea] oauth: invalid or missing state

Hi,

I can’t get drone to authenticate against my Gitea running on a bare metal Kubernetes cluster (K3S).

Gitea and a MySQL Galera Cluster are running fine and I installed drone via the official helm chart drone/charts. I also followed the doc server/provider/gitea to set up the oauth2 application in Gitea before installing the drone helm chart.

When I access the drone URL in my browser I get forwarded to Gitea where I accept the access request, afterwards I get redirected back to drone which shows the error message “Login Failed. http: named cookie not present” and nothing else. I see the error in the logs but don’t know how to solve it.

Helm chart values.yaml:

podAnnotations:
  prometheus.io/scrape: "true"
  prometheus.io/port: "80"
ingress:
  enabled: true
  annotations:
    traefik.ingress.kubernetes.io/redirect-entry-point: https
  hosts:
    - host: drone.somedomain.com
      paths:
        - "/"
persistentVolume:
  enabled: false
env:
  DRONE_SERVER_HOST: drone.somedomain.com
  DRONE_SERVER_PROTO: https
  DRONE_RPC_SECRET: <Generated via openssl rand -hex 16>
  DRONE_REGISTRATION_CLOSED: true
  DRONE_USER_CREATE: username:someuser,machine:false,admin:true,token:a1b2esometoken3c4d
  DRONE_LOGS_TEXT: true
  DRONE_LOGS_PRETTY: true
  DRONE_LOGS_COLOR: true
  DRONE_LOGS_DEBUG: true
  DRONE_GITEA_CLIENT_ID: <ID generated by Gitea>
  DRONE_GITEA_CLIENT_SECRET: <Secret generated by Gitea>
  DRONE_GITEA_SERVER: https://git.somedomain.com
  DRONE_COOKIE_SECRET: a1b2esomesecret3c4d
  DRONE_PROMETHEUS_ANONYMOUS_ACCESS: true
  DRONE_DATABASE_DRIVER: mysql
  DRONE_DATABASE_DATASOURCE: someuser:[email protected](somedbhost:3306)/drone?parseTime=true

Gitea log excerpt:

[Macaron] 2020-06-03 11:43:09: Started GET /login/oauth/authorize?client_id=<ID matching DRONE_GITEA_CLIENT_ID>&redirect_uri=https%3A%2F%2Fdrone.somedomain.com%2Flogin&response_type=code&state=79d80f8784e7f8e3 for 10.42.1.0
[Macaron] 2020-06-03 11:43:10: Completed GET /login/oauth/authorize?client_id=<ID matching DRONE_GITEA_CLIENT_ID>&redirect_uri=https%3A%2F%2Fdrone.somedomain.com%2Flogin&response_type=code&state=79d80f8784e7f8e3 200 OK in 23.476873ms

Drone log excerpt:

DEBU[0145]                                               fields.time="2020-06-03T09:43:09Z" latency=1.907464ms method=GET remote="10.42.0.155:39130" request=/css/app.835f40e0.css request-id=1cnvtse7FbrYSMaXzlF5FTG8Qpe
DEBU[0145]                                               fields.time="2020-06-03T09:43:09Z" latency=1.495093ms method=GET remote="10.42.0.155:39132" request=/js/chunk-vendors.f5840117.js request-id=1cnvttvbhC9zgx3mLCnm4zd4cSH
DEBU[0145]                                               fields.time="2020-06-03T09:43:09Z" latency=6.092668ms method=GET remote="10.42.0.155:39134" request=/js/app.2c99ed98.js request-id=1cnvtvDZYcSHvZOYjvdXEHWXGVR
DEBU[0146] api: authentication required                  request-id=1cnvtqQFFg9BB9gpizE2svRIZIW
DEBU[0146] api: guest access                             request-id=1cnvtqQFFg9BB9gpizE2svRIZIW
DEBU[0146]                                               fields.time="2020-06-03T09:43:09Z" latency="308.075µs" method=GET remote="10.42.0.155:39138" request=/api/user request-id=1cnvtqQFFg9BB9gpizE2svRIZIW
DEBU[0146]                                               fields.time="2020-06-03T09:43:09Z" latency="138.611µs" method=GET remote="10.42.0.155:39138" request=/login request-id=1cnvty01cfX6Gf8g4lU3sE3zF8s
DEBU[0146] events: stream opened                         request-id=1cnvtrD41dueVejipjmuvsdCU5B
ERRO[0149] oauth: invalid or missing state              
DEBU[0149] cannot authenticate user: http: named cookie not present 
DEBU[0149]                                               fields.time="2020-06-03T09:43:12Z" latency="200.093µs" method=GET remote="10.42.0.155:39138" request="/login?code=UzzFK00zwjrPosJQBuBCelGJW7mZwTW54nUXahJzic0%3D&state=79d80f8784e7f8e3" request-id=1cnvuKeGSHutFl9R6X1ubb1LkBw
DEBU[0149]                                               fields.time="2020-06-03T09:43:12Z" latency="142.556µs" method=GET remote="10.42.0.155:39138" request="/login/error?message=http:%20named%20cookie%20not%20present" request-id=1cnvuHDv7e2wz6hLXlbkESBx6m4
DEBU[0149]                                               fields.time="2020-06-03T09:43:12Z" latency="945.926µs" method=GET remote="10.42.0.155:39138" request=/css/app.835f40e0.css request-id=1cnvuKrfj2HsvcRjBIsX4yXyi1d
DEBU[0149] api: authentication required                  request-id=1cnvuJTEAAXx8P7VB1NhOoVqtFx
DEBU[0149] api: guest access                             request-id=1cnvuJTEAAXx8P7VB1NhOoVqtFx
DEBU[0149]                                               fields.time="2020-06-03T09:43:12Z" latency="202.667µs" method=GET remote="10.42.0.155:39164" request=/api/user request-id=1cnvuJTEAAXx8P7VB1NhOoVqtFx
DEBU[0149] events: stream opened                         request-id=1cnvuEUxAzSTrAuP2xknEhvosaf

Any help is appreciated.

Thanks in advance!

I recommend clearing your cookies. I recall this happening when I was doing local development and was frequently stopping / starting the server. I also recommend setting a fixed cookie secret, otherwise a new secret value is generate on every restart. More here.

Thanks for the hint. After deleting cookies the auth worked but needed a little trick. First the same error was displayed. I then manually opened /login which lead me to the drone dashboard. Since then it works fine without the trick.