Wrong method to fetch token for openID connect #1014

New Issue

Closed

opened 2025-11-02 03:45:18 -06:00 by GiteaMirror · 21 comments

GiteaMirror commented 2025-11-02 03:45:18 -06:00

Owner

Copy Link

Originally created by @Lichtjaeger on GitHub (Aug 29, 2017).

• Gitea version (or commit ref): 1.2.0-rc1
• Git version: 2.14.1
• Operating system: Windows 10
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log:

2017/08/29 10:40:12 [I] Log Mode: File(Info)
2017/08/29 10:40:12 [I] XORM Log Mode: File(Info)
2017/08/29 10:40:12 [I] Cache Service Enabled
2017/08/29 10:40:12 [I] Session Service Enabled
2017/08/29 10:40:13 [I] Git Version: 2.14.1
2017/08/29 10:40:13 [I] SQLite3 Supported
2017/08/29 10:40:13 [I] Run Mode: Production
2017/08/29 10:40:13 [I] Listen: http://0.0.0.0:3000
2017/08/29 10:40:35 [...routers/user/auth.go:409 handleOAuth2SignIn()] [E] UserSignIn: oauth2: cannot fetch token: 405 Method Not Allowed
Response: {"error":"invalid_request","error_description":"method not allowed"}

Description

Hi, I try to implement an openID connect Login with oidc-provider for Node.js.

But I get "method not allowed" errors if I test this solution. I opened an Issue at the provider page ( panva/node-oidc-provider#150 ) and the answer was, that the client used the wrong method to request the token.

Originally created by @Lichtjaeger on GitHub (Aug 29, 2017). <!-- 1. Please speak English, this is the language all of us can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/NsatcWJ) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): 1.2.0-rc1 - Git version: 2.14.1 - Operating system: Windows 10 - Database (use `[x]`): - [x] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [x] Not relevant - Log: ``` 2017/08/29 10:40:12 [I] Log Mode: File(Info) 2017/08/29 10:40:12 [I] XORM Log Mode: File(Info) 2017/08/29 10:40:12 [I] Cache Service Enabled 2017/08/29 10:40:12 [I] Session Service Enabled 2017/08/29 10:40:13 [I] Git Version: 2.14.1 2017/08/29 10:40:13 [I] SQLite3 Supported 2017/08/29 10:40:13 [I] Run Mode: Production 2017/08/29 10:40:13 [I] Listen: http://0.0.0.0:3000 2017/08/29 10:40:35 [...routers/user/auth.go:409 handleOAuth2SignIn()] [E] UserSignIn: oauth2: cannot fetch token: 405 Method Not Allowed Response: {"error":"invalid_request","error_description":"method not allowed"} ``` ## Description Hi, I try to implement an openID connect Login with [oidc-provider](https://github.com/panva/node-oidc-provider) for Node.js. But I get "method not allowed" errors if I test this solution. I opened an Issue at the provider page ( panva/node-oidc-provider#150 ) and the answer was, that the client used the wrong method to request the token.

GiteaMirror added the type/question label 2025-11-02 03:45:18 -06:00

GiteaMirror closed this issue 2025-11-02 03:45:18 -06:00

GiteaMirror commented 2025-11-02 03:45:19 -06:00

Author

Owner

Copy Link

@panva commented on GitHub (Aug 29, 2017):

Hi, I am maintaining oidc-provider.

method not allowed is returned in cases where a route only responds to certain HTTP methods(verbs), in this case a POST for a token_endpoint, but other method is encountered.

@panva commented on GitHub (Aug 29, 2017): Hi, I am maintaining `oidc-provider`. `method not allowed` is returned in cases where a route only responds to certain HTTP methods(verbs), in this case a POST for a `token_endpoint`, but other method is encountered.

GiteaMirror commented 2025-11-02 03:45:19 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Aug 29, 2017):

From the log, it seems you are try to use OAuth2 login but not OpenID connect ?

@lunny commented on GitHub (Aug 29, 2017): From the log, it seems you are try to use OAuth2 login but not OpenID connect ?

GiteaMirror commented 2025-11-02 03:45:19 -06:00

Author

Owner

Copy Link

@panva commented on GitHub (Aug 29, 2017):

From an authorization_code flow perspective the two are the same (only in OIDC you must request the openid scope). Either way, the token_endpoint request must use a POST, does it?

@panva commented on GitHub (Aug 29, 2017): From an authorization_code flow perspective the two are the same (only in OIDC you must request the openid scope). Either way, the token_endpoint request [must use](https://tools.ietf.org/html/rfc6749#section-3.2) a POST, does it?

GiteaMirror commented 2025-11-02 03:45:19 -06:00

Author

Owner

Copy Link

@Lichtjaeger commented on GitHub (Aug 30, 2017):

Here are my settings:

And the "/.well-known/openid-configuration.json":
openid-configuration.zip

@Lichtjaeger commented on GitHub (Aug 30, 2017): Here are my settings:  And the "/.well-known/openid-configuration.json": [openid-configuration.zip](https://github.com/go-gitea/gitea/files/1262485/openid-configuration.zip)

GiteaMirror commented 2025-11-02 03:45:19 -06:00

Author

Owner

Copy Link

@Lichtjaeger commented on GitHub (Sep 7, 2017):

No improvement in Gitea v1.2.0-rc2.

@Lichtjaeger commented on GitHub (Sep 7, 2017): No improvement in Gitea v1.2.0-rc2.

GiteaMirror commented 2025-11-02 03:45:20 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Sep 7, 2017):

@strk maybe you can see this?

@lunny commented on GitHub (Sep 7, 2017): @strk maybe you can see this?

GiteaMirror commented 2025-11-02 03:45:20 -06:00

Author

Owner

Copy Link

@Lichtjaeger commented on GitHub (Sep 25, 2017):

No improvement in Gitea v1.2.0-rc3.

@Lichtjaeger commented on GitHub (Sep 25, 2017): No improvement in Gitea v1.2.0-rc3.

GiteaMirror commented 2025-11-02 03:45:20 -06:00

Author

Owner

Copy Link

@Lichtjaeger commented on GitHub (Oct 16, 2017):

No improvement in Gitea v1.2.0. #618 still doesn't work for me.

@Lichtjaeger commented on GitHub (Oct 16, 2017): No improvement in Gitea v1.2.0. #618 still doesn't work for me.

GiteaMirror commented 2025-11-02 03:45:20 -06:00

Author

Owner

Copy Link

@Lichtjaeger commented on GitHub (Nov 17, 2017):

No improvement in Gitea v1.3.0-rc1.

@Lichtjaeger commented on GitHub (Nov 17, 2017): No improvement in Gitea v1.3.0-rc1.

GiteaMirror commented 2025-11-02 03:45:21 -06:00

Author

Owner

Copy Link

@Lichtjaeger commented on GitHub (Jan 3, 2018):

No improvement in Gitea v1.3.2.

@strk please state something.

@Lichtjaeger commented on GitHub (Jan 3, 2018): No improvement in Gitea v1.3.2. @strk please state something.

GiteaMirror commented 2025-11-02 03:45:21 -06:00

Author

Owner

Copy Link

@strk commented on GitHub (Jan 3, 2018):

Sorry but I'm not involved in OpenID Connect consumer code at all. I did OpenID-2.0 one. The OpenID Connect code, as far as I can tell, was added by @willemvd in commit 950f2e2074 via #1010

Willem, can you help here ?

@strk commented on GitHub (Jan 3, 2018): Sorry but I'm not involved in `OpenID Connect` consumer code at all. I did `OpenID-2.0` one. The `OpenID Connect` code, as far as I can tell, was added by @willemvd in commit 950f2e207413551b868252a1bced6ce9263d16d4 via #1010 Willem, can you help here ?

GiteaMirror commented 2025-11-02 03:45:21 -06:00

Author

Owner

Copy Link

@strk commented on GitHub (Jan 3, 2018):

@Lichtjaeger re "#618 still doesn't work for me." you mean you don't haven an OpenID-2.0 server to use against, right ? Or file a separate issue if OpenID-2.0 is also not working for you, against a valid server.

@strk commented on GitHub (Jan 3, 2018): @Lichtjaeger re "#618 still doesn't work for me." you mean you don't haven an `OpenID-2.0` server to use against, right ? Or file a separate issue if `OpenID-2.0` is also not working for you, against a valid server.

GiteaMirror commented 2025-11-02 03:45:21 -06:00

Author

Owner

Copy Link

@Lichtjaeger commented on GitHub (Jan 3, 2018):

you mean you don't haven an OpenID-2.0 server to use against, right ? Or file a separate issue if OpenID-2.0 is also not working for you, against a valid server.

Sorry, I was looking for a reference to my problem and only found this. Yes, I don't have an OpenID-2.0 Server. I tried to use OpenID connect from the start.

@Lichtjaeger commented on GitHub (Jan 3, 2018): > you mean you don't haven an OpenID-2.0 server to use against, right ? Or file a separate issue if OpenID-2.0 is also not working for you, against a valid server. Sorry, I was looking for a reference to my problem and only found this. Yes, I don't have an OpenID-2.0 Server. I tried to use OpenID connect from the start.

GiteaMirror commented 2025-11-02 03:45:21 -06:00

Author

Owner

Copy Link

@willemvd commented on GitHub (Jan 11, 2018):

@Lichtjaeger have you also configured the yammer provider? This error message is only displayed when using the yammer provider (https://github.com/markbates/goth/search?q=%22cannot+fetch+token%22&type=)
Looks like the error message returned from the library is not correct

@willemvd commented on GitHub (Jan 11, 2018): @Lichtjaeger have you also configured the yammer provider? This error message is only displayed when using the yammer provider (https://github.com/markbates/goth/search?q=%22cannot+fetch+token%22&type=) Looks like the error message returned from the library is not correct

GiteaMirror commented 2025-11-02 03:45:22 -06:00

Author

Owner

Copy Link

@Lichtjaeger commented on GitHub (Jan 11, 2018):

@willemvd I don't know anything about yammer provider. But the message ("cannot fetch token: 405 Method Not Allowed") is correct. I use the oidc-provider for NodeJS from @panva. You can also read the error message I've got from the provider at panva/node-oidc-provider#150.

@Lichtjaeger commented on GitHub (Jan 11, 2018): @willemvd I don't know anything about yammer provider. But the message ("cannot fetch token: 405 Method Not Allowed") is correct. I use the oidc-provider for NodeJS from @panva. You can also read the error message I've got from the provider at panva/node-oidc-provider#150.

GiteaMirror commented 2025-11-02 03:45:22 -06:00

Author

Owner

Copy Link

@Lichtjaeger commented on GitHub (Jan 25, 2018):

I eventually found the problem. In my NginX loadbalancer I used return 301 https://$server_name$request_uri; to force SSL. This changed the POST request into a GET request.

Now I use return 308 https://$server_name$request_uri;, but I get some other errors.

Requesting the token without https results in:

2018/01/25 08:35:22 [...routers/user/auth.go:411 handleOAuth2SignIn()] [E] UserSignIn: oauth2: cannot fetch token: 308 
Response: https://auth.gbn.web/token

Requesting without forcing SSL results in:

2018/01/25 09:14:49 [...routers/user/auth.go:411 handleOAuth2SignIn()] [E] UserSignIn: userinfo response did not contain a 'sub' claim: map[string]interface {}{"sub":57}

@Lichtjaeger commented on GitHub (Jan 25, 2018): I eventually found the problem. In my NginX loadbalancer I used `return 301 https://$server_name$request_uri;` to force SSL. This changed the POST request into a GET request. Now I use `return 308 https://$server_name$request_uri;`, but I get some other errors. Requesting the token without https results in: ``` 2018/01/25 08:35:22 [...routers/user/auth.go:411 handleOAuth2SignIn()] [E] UserSignIn: oauth2: cannot fetch token: 308 Response: https://auth.gbn.web/token ``` Requesting without forcing SSL results in: ``` 2018/01/25 09:14:49 [...routers/user/auth.go:411 handleOAuth2SignIn()] [E] UserSignIn: userinfo response did not contain a 'sub' claim: map[string]interface {}{"sub":57} ```

GiteaMirror commented 2025-11-02 03:45:22 -06:00

Author

Owner

Copy Link

@Lichtjaeger commented on GitHub (Jan 25, 2018):

The error for 308 statuses is solved thru reconfiguration of the /.well-known/openid-configuration endpoint.

But there is still the error with the "sub" claim. The debug output of the oidc-provider is:

oidc-provider:userinfo uuid=fbb7df8c-1cfa-4dbd-a896-da077ffe4eb4 content-type=application/json response={ sub: 57 }

@Lichtjaeger commented on GitHub (Jan 25, 2018): The error for 308 statuses is solved thru reconfiguration of the `/.well-known/openid-configuration` endpoint. But there is still the error with the "sub" claim. The debug output of the oidc-provider is: ``` oidc-provider:userinfo uuid=fbb7df8c-1cfa-4dbd-a896-da077ffe4eb4 content-type=application/json response={ sub: 57 } ```

GiteaMirror commented 2025-11-02 03:45:22 -06:00

Author

Owner

Copy Link

@Lichtjaeger commented on GitHub (Jan 29, 2018):

OK, I changed the type of the "sub" from number to string and now it works.

@Lichtjaeger commented on GitHub (Jan 29, 2018): OK, I changed the type of the "sub" from number to string and now it works.

GiteaMirror commented 2025-11-02 03:45:22 -06:00

Author

Owner

Copy Link

@strk commented on GitHub (Jan 29, 2018):

Great to hear you succeeded in that!

Are you going to write a blog post about how to setup OpenID Connect
server and Gitea to work with it ?

Maybe publishing it on https://github.com/go-gitea/blog ?

@strk commented on GitHub (Jan 29, 2018): Great to hear you succeeded in that! Are you going to write a blog post about how to setup OpenID Connect server and Gitea to work with it ? Maybe publishing it on https://github.com/go-gitea/blog ?

GiteaMirror commented 2025-11-02 03:45:23 -06:00

Author

Owner

Copy Link

@Lichtjaeger commented on GitHub (Jan 29, 2018):

I can try to make time for it.

PS: I have a suggestion for improvement. oidc provides a lot of other claims (for example email, family_name, given_name, name, preferred_username). The discovery result can tell you if they are available. You could use them to autofill the registration form.

@Lichtjaeger commented on GitHub (Jan 29, 2018): I can try to make time for it. PS: I have a suggestion for improvement. oidc provides a lot of other claims (for example email, family_name, given_name, name, preferred_username). The discovery result can tell you if they are available. You could use them to autofill the registration form.

GiteaMirror commented 2025-11-02 03:45:23 -06:00

Author

Owner

Copy Link

@strk commented on GitHub (Jan 29, 2018):

I can try to make time for it.

Thanks!

PS: I have a suggestion for improvement. oidc provides a lot of other claims (for example email, family_name, given_name, name, preferred_username). The discovery result can tell you if they are available. You could use them to autofill the registration form.

Great idea, please file an enhancement ticket for that, so you don't
forget. You can send a PR later :)

@strk commented on GitHub (Jan 29, 2018): > I can try to make time for it. Thanks! > PS: I have a suggestion for improvement. oidc provides a lot of other claims (for example email, family_name, given_name, name, preferred_username). The discovery result can tell you if they are available. You could use them to autofill the registration form. Great idea, please file an enhancement ticket for that, so you don't forget. You can send a PR later :)

GiteaMirror referenced this issue 2025-11-02 07:19:05 -06:00

Error 500, when opening Commit Graph from any repository #7193

GiteaMirror referenced this issue 2025-11-02 07:19:18 -06:00

The content wrapping problem in WIKI #7202

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label type/question

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#1014