github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-12 02:24:21 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

OpenID Connect login return 500 with "invalid_grant" #11225

New Issue
Open
opened 2025-11-02 09:31:19 -06:00 by GiteaMirror · 11 comments
GiteaMirror commented 2025-11-02 09:31:19 -06:00
Owner
Copy Link

Originally created by @cubesky on GitHub (Jul 14, 2023).

Description

I'm using Keycloak for OpenID Connect IDP, when I use OpenID Login, it redirect to Keycloak, when it return back, Gitea shown UserSignIn, oauth2: "invalid_grant" "Code not valid".

I search the pervious issue, but it doesn't solve this problem.

Log [I will renew the secret key]

gitea     | 2023/07/14 10:29:05 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/SSO for 10.42.10.4:0, 307 Temporary Redirect in 7.7ms @ auth/oauth.go:847(auth.SignInOAuth)
gitea     | 2023/07/14 10:29:05 ...rs/web/auth/oauth.go:923:SignInOAuthCallback() [E] UserSignIn: oauth2: "invalid_grant" "Code not valid"
gitea     | 2023/07/14 10:29:05 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/SSO/callback?state=75382e78-9ee9-47f3-b38d-e5bc3f9bee53&session_state=45e90eab-168f-42d9-9049-1a20bbc6478c&code=a1e3596f-7310-42a1-93db-de0528478c4c.45e90eab-168f-42d9-9049-1a20bbc6478c.7253e69e-1195-4043-8b87-8d1278e2036e for 10.42.10.4:0, 500 Internal Server Error in 20.7ms @ auth/oauth.go:886(auth.SignInOAuthCallback)

Gitea Version

1.20.0+rc0

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

image

image

Git Version

No response

Operating System

No response

How are you running Gitea?

Yes, I'm running Gitea with Docker. Keycloak and LDAP provide user system.

Database

PostgreSQL

Originally created by @cubesky on GitHub (Jul 14, 2023). ### Description I'm using Keycloak for OpenID Connect IDP, when I use OpenID Login, it redirect to Keycloak, when it return back, Gitea shown `UserSignIn, oauth2: "invalid_grant" "Code not valid"`. I search the pervious issue, but it doesn't solve this problem. Log [I will renew the secret key] ``` gitea | 2023/07/14 10:29:05 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/SSO for 10.42.10.4:0, 307 Temporary Redirect in 7.7ms @ auth/oauth.go:847(auth.SignInOAuth) gitea | 2023/07/14 10:29:05 ...rs/web/auth/oauth.go:923:SignInOAuthCallback() [E] UserSignIn: oauth2: "invalid_grant" "Code not valid" gitea | 2023/07/14 10:29:05 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/SSO/callback?state=75382e78-9ee9-47f3-b38d-e5bc3f9bee53&session_state=45e90eab-168f-42d9-9049-1a20bbc6478c&code=a1e3596f-7310-42a1-93db-de0528478c4c.45e90eab-168f-42d9-9049-1a20bbc6478c.7253e69e-1195-4043-8b87-8d1278e2036e for 10.42.10.4:0, 500 Internal Server Error in 20.7ms @ auth/oauth.go:886(auth.SignInOAuthCallback) ``` ### Gitea Version 1.20.0+rc0 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots ![image](https://github.com/go-gitea/gitea/assets/8038511/62a7892b-73d4-48ab-9930-d573f6a6e76d) ![image](https://github.com/go-gitea/gitea/assets/8038511/e2782f6f-fca4-4b6f-bedd-7b6128f18484) ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Yes, I'm running Gitea with Docker. Keycloak and LDAP provide user system. ### Database PostgreSQL
GiteaMirror added the type/bug label 2025-11-02 09:31:19 -06:00
GiteaMirror commented 2025-11-02 09:31:20 -06:00
Author
Owner
Copy Link

@cubesky commented on GitHub (Jul 21, 2023):

Hello, is there any update for this?

@cubesky commented on GitHub (Jul 21, 2023): Hello, is there any update for this?
GiteaMirror commented 2025-11-02 09:31:20 -06:00
Author
Owner
Copy Link

@CaiCandong commented on GitHub (Jul 25, 2023):

I'm trying to reproduce the bug

@CaiCandong commented on GitHub (Jul 25, 2023): I'm trying to reproduce the bug
GiteaMirror commented 2025-11-02 09:31:20 -06:00
Author
Owner
Copy Link

@CaiCandong commented on GitHub (Jul 26, 2023):

Hello, is there any update for this?

I can't reproduce this bug, you can give me more information.

gif

2023/07/26 15:38:40 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/keycloak/callback?state=cff292fd-9136-4f54-9794-e674ca1dc487&session_state=1d9398ec-17d6-4f28-940b-c01e94a9edf7&code=dde242d0-c3c3-4920-a7ec-479b58b3771d.1d9398ec-17d6-4f28-940b-c01e94a9edf7.2743f261-939a-4d66-80c8-9b8fab1fedfa for [::1]:55985, 500 Internal Server Error in 9.6ms @ auth/oauth.go:886(auth.SignInOAuthCallback)
2023/07/26 15:38:46 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/events for [::1]:55985, 200 OK in 855.3ms @ events/events.go:18(events.Events)
2023/07/26 15:39:01 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/keycloak for [::1]:55992, 307 Temporary Redirect in 13.8ms @ auth/oauth.go:847(auth.SignInOAuth)
2023/07/26 15:39:01 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/keycloak/callback?state=c0d382a7-6bfc-450c-929d-9878ed168967&session_state=1d9398ec-17d6-4f28-940b-c01e94a9edf7&code=4c7543a7-832f-4b9a-916d-91236dab75c8.1d9398ec-17d6-4f28-940b-c01e94a9edf7.2743f261-939a-4d66-80c8-9b8fab1fedfa for [::1]:55992, 303 See Other in 63.7ms @ auth/oauth.go:886(auth.SignInOAuthCallback)
2023/07/26 15:39:01 ...eb/routing/logger.go:102:func1() [I] router: completed GET / for [::1]:55992, 200 OK in 24.5ms @ web/home.go:32(web.Home)
@CaiCandong commented on GitHub (Jul 26, 2023): > Hello, is there any update for this? I can't reproduce this bug, you can give me more information. ![gif](https://github.com/go-gitea/gitea/assets/50507092/42781679-7015-4c76-a5cc-3d3bd457928d) ``` 2023/07/26 15:38:40 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/keycloak/callback?state=cff292fd-9136-4f54-9794-e674ca1dc487&session_state=1d9398ec-17d6-4f28-940b-c01e94a9edf7&code=dde242d0-c3c3-4920-a7ec-479b58b3771d.1d9398ec-17d6-4f28-940b-c01e94a9edf7.2743f261-939a-4d66-80c8-9b8fab1fedfa for [::1]:55985, 500 Internal Server Error in 9.6ms @ auth/oauth.go:886(auth.SignInOAuthCallback) 2023/07/26 15:38:46 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/events for [::1]:55985, 200 OK in 855.3ms @ events/events.go:18(events.Events) 2023/07/26 15:39:01 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/keycloak for [::1]:55992, 307 Temporary Redirect in 13.8ms @ auth/oauth.go:847(auth.SignInOAuth) 2023/07/26 15:39:01 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/keycloak/callback?state=c0d382a7-6bfc-450c-929d-9878ed168967&session_state=1d9398ec-17d6-4f28-940b-c01e94a9edf7&code=4c7543a7-832f-4b9a-916d-91236dab75c8.1d9398ec-17d6-4f28-940b-c01e94a9edf7.2743f261-939a-4d66-80c8-9b8fab1fedfa for [::1]:55992, 303 See Other in 63.7ms @ auth/oauth.go:886(auth.SignInOAuthCallback) 2023/07/26 15:39:01 ...eb/routing/logger.go:102:func1() [I] router: completed GET / for [::1]:55992, 200 OK in 24.5ms @ web/home.go:32(web.Home) ```
GiteaMirror commented 2025-11-02 09:31:20 -06:00
Author
Owner
Copy Link

@cubesky commented on GitHub (Jul 26, 2023):

Hello, is there any update for this?
I can't reproduce this bug, you can give me more information.

gif

2023/07/26 15:38:40 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/keycloak/callback?state=cff292fd-9136-4f54-9794-e674ca1dc487&session_state=1d9398ec-17d6-4f28-940b-c01e94a9edf7&code=dde242d0-c3c3-4920-a7ec-479b58b3771d.1d9398ec-17d6-4f28-940b-c01e94a9edf7.2743f261-939a-4d66-80c8-9b8fab1fedfa for [::1]:55985, 500 Internal Server Error in 9.6ms @ auth/oauth.go:886(auth.SignInOAuthCallback)
2023/07/26 15:38:46 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/events for [::1]:55985, 200 OK in 855.3ms @ events/events.go:18(events.Events)
2023/07/26 15:39:01 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/keycloak for [::1]:55992, 307 Temporary Redirect in 13.8ms @ auth/oauth.go:847(auth.SignInOAuth)
2023/07/26 15:39:01 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/keycloak/callback?state=c0d382a7-6bfc-450c-929d-9878ed168967&session_state=1d9398ec-17d6-4f28-940b-c01e94a9edf7&code=4c7543a7-832f-4b9a-916d-91236dab75c8.1d9398ec-17d6-4f28-940b-c01e94a9edf7.2743f261-939a-4d66-80c8-9b8fab1fedfa for [::1]:55992, 303 See Other in 63.7ms @ auth/oauth.go:886(auth.SignInOAuthCallback)
2023/07/26 15:39:01 ...eb/routing/logger.go:102:func1() [I] router: completed GET / for [::1]:55992, 200 OK in 24.5ms @ web/home.go:32(web.Home)

My keycloak is in another url, maybe this is the reason?

@cubesky commented on GitHub (Jul 26, 2023): > > Hello, is there any update for this? > > I can't reproduce this bug, you can give me more information. > > ![gif](https://user-images.githubusercontent.com/50507092/256151884-42781679-7015-4c76-a5cc-3d3bd457928d.gif) > > ``` > 2023/07/26 15:38:40 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/keycloak/callback?state=cff292fd-9136-4f54-9794-e674ca1dc487&session_state=1d9398ec-17d6-4f28-940b-c01e94a9edf7&code=dde242d0-c3c3-4920-a7ec-479b58b3771d.1d9398ec-17d6-4f28-940b-c01e94a9edf7.2743f261-939a-4d66-80c8-9b8fab1fedfa for [::1]:55985, 500 Internal Server Error in 9.6ms @ auth/oauth.go:886(auth.SignInOAuthCallback) > 2023/07/26 15:38:46 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/events for [::1]:55985, 200 OK in 855.3ms @ events/events.go:18(events.Events) > 2023/07/26 15:39:01 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/keycloak for [::1]:55992, 307 Temporary Redirect in 13.8ms @ auth/oauth.go:847(auth.SignInOAuth) > 2023/07/26 15:39:01 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/keycloak/callback?state=c0d382a7-6bfc-450c-929d-9878ed168967&session_state=1d9398ec-17d6-4f28-940b-c01e94a9edf7&code=4c7543a7-832f-4b9a-916d-91236dab75c8.1d9398ec-17d6-4f28-940b-c01e94a9edf7.2743f261-939a-4d66-80c8-9b8fab1fedfa for [::1]:55992, 303 See Other in 63.7ms @ auth/oauth.go:886(auth.SignInOAuthCallback) > 2023/07/26 15:39:01 ...eb/routing/logger.go:102:func1() [I] router: completed GET / for [::1]:55992, 200 OK in 24.5ms @ web/home.go:32(web.Home) > ``` My keycloak is in another url, maybe this is the reason?
GiteaMirror commented 2025-11-02 09:31:20 -06:00
Author
Owner
Copy Link

@cubesky commented on GitHub (Jul 26, 2023):

https://github.com/go-gitea/gitea/assets/8038511/720af58e-b621-45c7-9a5a-69a982951a70

@cubesky commented on GitHub (Jul 26, 2023): https://github.com/go-gitea/gitea/assets/8038511/720af58e-b621-45c7-9a5a-69a982951a70
GiteaMirror commented 2025-11-02 09:31:21 -06:00
Author
Owner
Copy Link

@cubesky commented on GitHub (Jul 26, 2023):

keycloak is in another subdomain.

@cubesky commented on GitHub (Jul 26, 2023): keycloak is in another subdomain.
GiteaMirror commented 2025-11-02 09:31:21 -06:00
Author
Owner
Copy Link

@CaiCandong commented on GitHub (Jul 26, 2023):

I started Keycloak using the Docker image quay.io/keycloak/keycloak:22.0.1. Perhaps the version of Keycloak is different? Can you tell me the version of your Keycloak so that I can replicate this error?
gif
image

@CaiCandong commented on GitHub (Jul 26, 2023): I started Keycloak using the Docker image `quay.io/keycloak/keycloak:22.0.1`. Perhaps the version of Keycloak is different? Can you tell me the version of your Keycloak so that I can replicate this error? ![gif](https://github.com/go-gitea/gitea/assets/50507092/5fc18449-5e7f-43f3-a0fd-89dd25345833) ![image](https://github.com/go-gitea/gitea/assets/50507092/692f666c-c1fc-48f6-92de-19e2180008f5)
GiteaMirror commented 2025-11-02 09:31:21 -06:00
Author
Owner
Copy Link

@cubesky commented on GitHub (Jul 26, 2023):

I'm running keycloak 16.1.1 via Docker.
image

@cubesky commented on GitHub (Jul 26, 2023): I'm running keycloak 16.1.1 via Docker. ![image](https://github.com/go-gitea/gitea/assets/8038511/7ae18a8b-c181-49d5-9ac1-611c24da40c3)
GiteaMirror commented 2025-11-02 09:31:22 -06:00
Author
Owner
Copy Link

@CaiCandong commented on GitHub (Jul 26, 2023):

I started keycloak with the following command
docker run -p 8081:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak:16.1.1

image

The configuration of keycloak is the same as yours, but I still can't reproduce your error.

I still can't reproduce your error, perhaps you could leave a contact?

gif

@CaiCandong commented on GitHub (Jul 26, 2023): I started keycloak with the following command `docker run -p 8081:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak:16.1.1` ![image](https://github.com/go-gitea/gitea/assets/50507092/d7af58b0-8661-4b22-bc7f-5e587d9e1f72) The configuration of keycloak is the same as yours, but I still can't reproduce your error. I still can't reproduce your error, perhaps you could leave a contact? ![gif](https://github.com/go-gitea/gitea/assets/50507092/bca4701a-e288-47de-8931-d09f412bb543)
GiteaMirror commented 2025-11-02 09:31:22 -06:00
Author
Owner
Copy Link

@cubesky commented on GitHub (Jul 26, 2023):

I started keycloak with the following command docker run -p 8081:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak:16.1.1

image

The configuration of keycloak is the same as yours, but I still can't reproduce your error.

I still can't reproduce your error, perhaps you could leave a contact?

gif

Yes, you can contact me via QQ 2591616916 or email me max_301(at)live.com

@cubesky commented on GitHub (Jul 26, 2023): > I started keycloak with the following command `docker run -p 8081:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak:16.1.1` > > ![image](https://user-images.githubusercontent.com/50507092/256247425-d7af58b0-8661-4b22-bc7f-5e587d9e1f72.png) > > The configuration of keycloak is the same as yours, but I still can't reproduce your error. > > I still can't reproduce your error, perhaps you could leave a contact? > > ![gif](https://user-images.githubusercontent.com/50507092/256248747-bca4701a-e288-47de-8931-d09f412bb543.gif) Yes, you can contact me via QQ 2591616916 or email me max_301(at)live.com
GiteaMirror commented 2025-11-02 09:31:22 -06:00
Author
Owner
Copy Link

@cubesky commented on GitHub (Aug 1, 2023):

After create a new keycloak instance, SSO connect is fine. But when I copied the configuration of new keycloak to the old one, it doesn't fix the issue.

@cubesky commented on GitHub (Aug 1, 2023): After create a new keycloak instance, SSO connect is fine. But when I copied the configuration of new keycloak to the old one, it doesn't fix the issue.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#11225
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?