GitHub OAuth fails to authenticate

[erikatniche]

• Concourse version: v2.4.0
• Deployment type: binaries on Ubuntu 14.04; 2 worker machines, 1 machine with web/worker/Postgres
• OS: Windows 7 (also observed on MacOS)
• Browser: Chrome Version 54.0.2840.99 m

When I click "login with GitHub" in Chrome, I am sent to an about:blank page with no network activity. When I click "login with GitHub" in Firefox, I am sent to a mangled URL: http://:8080devvm-concourse/auth/github?redirect=%2F&team_name=main.

When I fix the URL, it then prompts me for login info and I am able to continue to Concourse as expected. I can also paste the correct URL into Chrome, and it works just fine.

Furthermore, I was able to successfully login with my GitHub account using fly and the URL it provides.

[concourse-bot]

Hi there!

We use Pivotal Tracker to provide visibility into what our team is working on. A story for this issue has been automatically created.

The current status is as follows:

• #134461889 Login UI generates bogus login links if external URL is configured as http://hostname:port

This comment, as well as the labels on the issue, will be automatically updated as the status in Tracker changes.

[vito]

Is your --external-url configured appropriately?

[erikatniche]

Yes. This has been verified by multiple eyes.

[vito]

Could you include more details about your deployment and also the GitHub side of the configuration? Extra eyes won't hurt. :)

[erikatniche]

Setup:

Currently using Concourse v2.5.1.

Host machine: Windows Server 2012 R2, CPU: Intel E5-2640 v3, HyperV

concourse-web: 2 CPU x 8GB RAM

• web and worker instance

concourse-worker (2): 2 CPU x 4GB RAM

• worker instance

Configuration:

https://gist.github.com/erikatniche/a7ad81c11708195e50ac99e4619719eb

I set up a tiered process using (Go) templates to create pipelines dynamically. The entry point is pipeline.yml. This creates a pipeline named branches using the branches_pipeline_template.yml, containing jobs and resources for each of our repositories (currently ~20).

branches creates individual pipelines for each configured repository; go_pipeline_template.yml is the template we use to create pipelines for Go repositories, for example. Jobs and resources exist for each branch in the repository. When the branches in a repository change, these pipelines are updated to reflect the new state of the repository.

Hope that helps! Let me know what else you need.

[vito]

Thanks! In this case it's more the config around Concourse itself and GitHub that I'd need to eyeball though. This would mean the flags for web (make sure you take the secret bits out), plus the GitHub side of the oAuth configuration.

[erikatniche]

I had this issue confused with #781. My bad!

Setting up the web instance (complete script for context):

#!/bin/sh

apt-get update
apt-get -y install postgresql postgresql-contrib

sudo -u postgres createdb atc
sudo -u postgres psql -d atc -c "CREATE ROLE concourse WITH LOGIN PASSWORD 'concourse'"

wget -O /usr/bin/concourse "https://github.com/concourse/concourse/releases/download/v2.5.1/concourse_linux_amd64"
chmod +x /usr/bin/concourse

GITHUB_CLIENT_ID=$1
GITHUB_CLIENT_SECRET=$2

cat > /etc/init/web.conf << END
description "concourse web instance"
start on runlevel [2345]
stop on runlevel [!2345]
respawn
script
concourse web \
 --session-signing-key $(pwd)/session_signing_key \
 --tsa-host-key $(pwd)/tsa_host_key \
 --tsa-authorized-keys $(pwd)/authorized_worker_keys \
 --external-url http://devvm-concourse:8080 \
 --postgres-data-source postgres://concourse:concourse@localhost:5432/atc \
 --github-auth-client-id $GITHUB_CLIENT_ID \
 --github-auth-client-secret $GITHUB_CLIENT_SECRET \
 --github-auth-organization <org> \
 --basic-auth-username <username> \
 --basic-auth-password <password> \
 >> /var/log/concourse-web.log 2>&1
end script
END

service web start

GitHub:

[vito]

Can you paste the response of /api/v1/teams/<team>/auth/methods?

[erikatniche]

[vito]

OK, so the API has it right. Looks like this is probably a bug with just the web UI then. Guessing Erl.parse isn't parsing it correctly.

Thanks; will prioritize this.

[chendrix]

I verified this is an issue with Erl (both the version we're using and latest)

Filed sporto/erl#17

Even if this gets fixed upstream, would require us to upgrade to Elm 0.18 to fix it 😢

[concourse-bot]

Hello again!

All stories related to this issue have been accepted, so I'm going to automatically close this issue.

At the time of writing, the following stories have been accepted:

• #134461889 Login UI generates bogus login links if external URL is configured as http://hostname:port

If you feel there is still more to be done, or if you have any questions, leave a comment and we'll reopen if necessary!

[pierrebeaucamp]

Just updated to 2.7.0 but we still can't use Github OAuth.

Created a new team with --github-auth-organization (I also tried --github-auth-team without any luck)
Github OAuth Application is configured with http://concourse.karma.io/auth/github/callback as its callback URL.

When trying to log in, we get successfully redirected to Github, where we need to log in / grant our app access to Github. Once this is done, we get redirected back to concourse, with the following call:

Request URL: http://concourse.karma.io/auth/github/callback?code=45xxxxx78&state=eyxxxxxn0
Referer: http://concourse.karma.io/teams/ilovetravel/login
Cookie: _concourse_oauth_state=eyxxxxxxn0 (same state)

This call just times out after a while. It appears to do nothing at all.

[vito]

@pierrebeaucamp make sure your ATC can reach github (or your github instance). it needs to make API calls to it in order to verify that you have access.

[richarddowner]

Hi I am still getting these errors.

https://cicd-myapp.company-test.com/api/v1/teams/test/auth/methods
[{"type":"oauth","display_name":"GitHub","auth_url":"https://cicd-myapp.company-support.com/auth/github?team_name=test"}]

The third request fails.

1. github?team_name=test&redirect=/ returns 307
2. authorize?client_id=xxxxxxxx.... returns 302
3. callback?code=xxxxxxx&state=xxxxxx returns 504

[chendrix]

@richarddowner I don't think that's the same issue as this one ended up being. You don't have an auth URL that lacks a TLD.

[richarddowner]

Hi @chendrix, sorry i was referring to @pierrebeaucamp issue, I am seeing the exact same problem he has. And have confirmed @vito suggestion of making sure the ATC (concourse web instance??) can reach github.com

[chrisdpa-tvx]

I see this problem as well but in a slightly different form.... concourse is setting the redirect uri as on the path, eg Request URL:https://github.com/login/oauth/authorize?client_id=xxxxx&redirect_uri=%2Fauth%2Fgithub%2Fcallback&response_type=code&scope=read%3Aorg&state=xxx