First authorization via OAUTH fails

[Remmert-PBE]

Description

The first authorization attempt after some hours fails, while the second one directly afterwards succeeds:

== 1. try ==
git.exe push --progress  -- "origin" master:master
remote: Verify
fatal: Authentication failed for 'https://git.company.intern/Organization/Product.git/'

git did not exit cleanly (exit code 128) (3687 ms @ 12.06.2024 14:38:16)

== 2. try ==
git.exe push --progress  -- "origin" master:master
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 20 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 1.03 KiB | 1.03 MiB/s, done.
Total 3 (delta 2), reused 0 (delta 0), pack-reused 0 (from 0)
remote: . Processing 1 references
remote: Processed 1 references in total
To https://git.company.intern/Organization/Product.git
11111111..111111 master -> master

Success (6407 ms @ 12.06.2024 14:38:34)

The gitea logfile shows that it tries to login with the user "OAUTH_USER" to our LDAP server, like it is saved by the Git Credential Manager:

2024/06/24 07:53:04 ...eb/routing/logger.go:102:func1() [I] router: completed GET /Organization/Product.git/info/refs?service=git-receive-pack for 192.168.0.10:0, 401 Unauthorized in 4.9ms @ repo/githttp.go:532(repo.GetInfoRefs)
2024/06/24 07:53:08 ...dap/source_search.go:95:findUserDN() [D] Failed search using filter[(&(objectCategory=Person)(|(memberOf=CN=git-developer,OU=Securitygroups,OU=Location,DC=company,DC=intern)(memberOf=CN=git-admin,OU=Securitygroups,OU=Location,DC=company,DC=intern)(memberOf=CN=git-service,OU=Securitygroups,OU=Location,DC=company,DC=intern))(sAMAccountName=OAUTH_USER)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))]: <nil>
2024/06/24 07:53:08 ...vices/auth/signin.go:114:UserSignIn() [D] Failed to login 'OAUTH_USER' via 'CompanyAD': user does not exist [uid: 0, name: OAUTH_USER, keyid: 0]
2024/06/24 07:53:08 routers/web/web.go:123:func7() [E] Failed to verify user: user does not exist [uid: 0, name: OAUTH_USER, keyid: 0]
2024/06/24 07:53:08 ...eb/routing/logger.go:102:func1() [I] router: completed GET /Organization/Product.git/info/refs?service=git-receive-pack for 192.168.0.10:0, 401 Unauthorized in 137.8ms @ web/web.go:120(web.Routes.webAuth)
2024/06/24 07:53:08 ...dap/source_search.go:95:findUserDN() [D] Failed search using filter[(&(objectCategory=Person)(|(memberOf=CN=git-developer,OU=Securitygroups,OU=Location,DC=company,DC=intern)(memberOf=CN=git-admin,OU=Securitygroups,OU=Location,DC=company,DC=intern)(memberOf=CN=git-service,OU=Securitygroups,OU=Location,DC=company,DC=intern))(sAMAccountName=OAUTH_USER)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))]: <nil>
2024/06/24 07:53:08 ...vices/auth/signin.go:114:UserSignIn() [D] Failed to login 'OAUTH_USER' via 'CompanyAD': user does not exist [uid: 0, name: OAUTH_USER, keyid: 0]
2024/06/24 07:53:08 routers/web/web.go:123:func7() [E] Failed to verify user: user does not exist [uid: 0, name: OAUTH_USER, keyid: 0]
2024/06/24 07:53:08 ...eb/routing/logger.go:102:func1() [I] router: completed GET /Organization/Product.git/info/refs?service=git-receive-pack for 192.168.0.10:0, 401 Unauthorized in 59.1ms @ web/web.go:120(web.Routes.webAuth)

2024/06/24 07:53:11 ...eb/routing/logger.go:102:func1() [I] router: completed GET /Organization/Product.git/info/refs?service=git-receive-pack for 192.168.0.10:0, 401 Unauthorized in 1.8ms @ repo/githttp.go:532(repo.GetInfoRefs)
2024/06/24 07:53:11 ...eb/routing/logger.go:102:func1() [I] router: completed POST /login/oauth/access_token for 192.168.0.10:0, 200 OK in 23.1ms @ auth/oauth.go:618(auth.AccessTokenOAuth)
2024/06/24 07:53:11 ...dules/git/command.go:290:Run() [D] git.Command.RunDir(d:\Data\Repositories\Organization\Product.git): "C:\\Program Files\\Git\\cmd\\git.exe" -c protocol.version=2 -c credential.helper= -c filter.lfs.required= -c filter.lfs.smudge= -c filter.lfs.clean= receive-pack --stateless-rpc --advertise-refs .
2024/06/24 07:53:12 ...eb/routing/logger.go:102:func1() [I] router: completed GET /Organization/Product.git/info/refs?service=git-receive-pack for 192.168.0.10:0, 200 OK in 96.3ms @ repo/githttp.go:532(repo.GetInfoRefs)

The authorization after the initial error works for a few hours, but after a while it reappears (token becomes invalid?).

The credential settings in git are:

credential.helper=
credential.helper=C:/Users/pbe/.dotnet/tools/git-credential-manager.exe
credential.https://git.company.intern.provider=generic

Gitea Version

1.21.11

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/Remmert-PBE/959e1e243a2d8243a757aef754571270

Screenshots

No response

Git Version

git version 2.45.2.windows.1

Operating System

Windows Server 2019 Standard

How are you running Gitea?

Running as a service on a windows server. Behind a nginx reverse proxy (configured like the example in the gitea docs)

Database

MSSQL

[Xulunix]

I noticed the same issue using a similar setup (OIDC instead of LDAP).
It works if tried again but some tools check the remote periodically and ask the user to login again if authentication fails.

[yp05327]

It seems that this issue is similar to #30991?

Maybe OAUTH_USER comes from here:
https://github.com/git-ecosystem/git-credential-manager/blob/e124b8bb8f4a53301e0d9d947c075519f75ff222/src/shared/Core/GenericOAuthConfig.cs#L143

[yp05327]

I found a related issue ( maybe ) in GCM:
git-ecosystem/git-credential-manager#1408

Maybe this is a problem from upstream (not directly related) ?

[Remmert-PBE]

@yp05327 Good find, thats exactly what happens on my system. I ran a GCM_TRACE a few days back and it is similar to the one in the gcm issue. In my log the first push ends with the command erase and only on the 2nd push a new token is saved.

See https://gist.github.com/Remmert-PBE/1ccecd8d82c4b19d700835bff1b3567b

Now the question is, which tool is at fault?

[meruiden]

I have the same, after a little while, when I push again, the first time always fails, second time succeeds. im also logged in via the vscode -> oauth in browser

[uujwnqjgim]

First push fails with:

remote: Verify
fatal: Authentication failed for ...

second git push is ok

[257er]

same issue here.

[eeyrjmr]

same, this only just started to be an issue

[eeyrjmr]

I can't be sure but I think this started when I stopped using the gogit build of gitea... This was partially due to sha256
I will see if gogit windows build still works

[jonathanduke]

The same thing has been happening to me recently. Since some of my pulls/pushes are automated to happen at night, it's a real pain.

I think it started after upgrading git-for-windows to 2.45.2.windows.1 and switching to GCM. A workaround has been discussed in the forums here:
https://forum.gitea.com/t/authentication-failed-for-but-running-the-command-again-works/8521

That does work to make it occur less often throughout the day if I set it to 24 hours vs. 1 hour, but it will still expire eventually. So, before my automated processes, I just made sure that I do an extra "git push" to force that expired token to be deleted, so the rest of the batch still works. That seems to get around the problem for now.

[lyleubben]

Can confirm the same issue using git manually. Works on the second call. I believe this is also causing actions to fail on the checkout step.

[vansanper]

Same issue here for my team, tried the workaround to see if it at least mitigates the problem to once a day...

[bvandevliet]

I also still face this issue. Quite annoying tbh.

[seepine]

I want to know if there are any good solutions at present, such as rolling back the git-for-windows version? Or rolling back the gitea version?

[eeyrjmr]

I want to know if there are any good solutions at present, such as rolling back the git-for-windows version? Or rolling back the gitea version?

It would be rolling back git-for-windows to the version that used a windows specific solution.
This is extremely frustrating but we are dependant on git-for-windows to fix. There are several open issues on this over at that repository, using different forges

[Remmert-PBE]

I got it working by prepending the username to the remote url, i.e. https://[email protected]/Organization/Product.git/. This prevents GCM from saving the login token with the dummy username 'OAUTH_USER'.

[becm]

It's a GCM issue, when it arbitrarily started to enforce OAuth when assuming a Gitea remote.

The issue is that token expiration dates are (still) not saved, so there is currently no other way than try and fail.
While other specialized providers for (e.g.) Azure and Bitbucket have some builtin wayshacks to check this internally, there is no extra handling for the generic case.

Mitigations boil down to

• just accept the 2nd try or
• initially invalidate the OAuth config by setting credential.oauthAuthorizeEndpoint=// (not viable with 2FA) or
• replace the git:https://<server> password entry with an application token
  (no expiry issue and better access restriction)