Standard Gitlab integration from self-hosted Infisical to self-hosted Gitlab gives error 400

[rwarford]

Describe the bug

Standard GitLab integration from a self-hosted instance of Infisical to a self-hosted instance of GitLab fails with a "Bad Request" error (code 400).

EDIT: Note that pipeline integration works as expected. The problem is only with the standard integration.

To Reproduce

Steps to reproduce the behavior:

1. Create an OAuth application in the self-hosted GitLab instance.
2. Set the Redirect URI to https://your-domain.com/integrations/gitlab/oauth2/callback where your-domain.com is the domain of the self-hosted Infisical instance.
3. Copy the Application ID and Secret from the GitLab OAuth application into enviroment variables for the self-hosted Infisical instance (I am running Infisical in Kubernetes so I added these variables to my infisical-secrets secret).
4. Restart Infisical (I restarted my standalone, ingress, and controller pods).
5. When Infisical has restarted, click on Integrations, then GitLab.
6. Enter the URL for the self-hosted GitLab instance and click Continue With OAuth.
7. Click Authorize in the GitLab page that opens.
8. Note the error "Bad Request" in Infisical.

Expected behavior

The GitLab integration should be authorized and the GitLab integration dialog should be shown in Infisical.

Screenshots

If applicable, add screenshots to help explain your problem.

Platform you are having the issue on:

Infisical self-hosted Kubernetes instance installed via Helm chart.
repoURL: https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts/
chart: infisical-standalone
targetRevision: 1.0.7

Additional context

See #418 (comment) for a possible cause and solution.
EDIT: I am running version 15.8.1-ee of GitLab.

EDIT: Relevant log lines:

{"level":30,"time":1716746520711,"pid":1,"hostname":"infisical-application-infisical-standalone-infisical-6d47bdrdsz","reqId":"req-jy","severity":"INFO","req":{"method":"POST","url":"/api/v1/integration-auth/oauth-token","hostname":"infisical.k8s-home.local.REDACTED.com","remoteAddress":"10.100.10.146","remotePort":52140},"msg":"incoming request"}
{"level":50,"time":1716746520838,"pid":1,"hostname":"infisical-application-infisical-standalone-infisical-6d47bdrdsz","reqId":"req-jy","severity":"ERROR","err":{"message":"Request failed with status code 400","name":"AxiosError","stack":"AxiosError: Request failed with status code 400\n    at settle (file:///backend/node_modules/axios/lib/core/settle.js:19:12)\n    at IncomingMessage.handleStreamEnd (file:///backend/node_modules/axios/lib/adapters/http.js:589:11)\n    at IncomingMessage.emit (node:events:530:35)\n    at IncomingMessage.emit (node:domain:488:12)\n    at endReadableNT (node:internal/streams/readable:1696:12)\n    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)\n    at Axios.request (file:///backend/node_modules/axios/lib/core/Axios.js:45:41)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async exchangeCodeGitlab (file:///backend/dist/services/integration-auth/integration-token.mjs:154:16)\n    at async Object.oauthExchange (file:///backend/dist/services/integration-auth/integration-auth-service.mjs:51:27)\n    at async Object.handler (file:///backend/dist/server/routes/v1/integration-auth-router.mjs:214:31)","config":{"transitional":{"silentJSONParsing":true,"forcedJSONParsing":true,"clarifyTimeoutError":false},"adapter":["xhr","http"],"transformRequest":[null],"transformResponse":[null],"timeout":0,"xsrfCookieName":"XSRF-TOKEN","xsrfHeaderName":"X-XSRF-TOKEN","maxContentLength":-1,"maxBodyLength":-1,"env":{},"headers":{"Accept":"application/json, text/plain, */*","Content-Type":"application/x-www-form-urlencoded;charset=utf-8","Accept-Encoding":"application/json","User-Agent":"axios/1.6.7","Content-Length":"320"},"method":"post","url":"https://gitlab.local.REDACTED.com/oauth/token","data":"grant_type=authorization_code&code=9267af08adbb312ccd049f80417648a62967a124791dcde1d9168cf764317dcb&client_id=67a9b665c6c97b1e790d8b68c5850418c04d2b3de76fa56092863597377108d6&client_secret=REDACTED&redirect_uri=undefined%2Fintegrations%2Fgitlab%2Foauth2%2Fcallback","axios-retry":{"retries":3,"shouldResetTimeout":false,"retryCount":0,"lastRequestTime":1716746520752}},"code":"ERR_BAD_REQUEST","status":400},"msg":"Request failed with status code 400"}
{"level":50,"time":1716746520839,"pid":1,"hostname":"infisical-application-infisical-standalone-infisical-6d47bdrdsz","reqId":"req-jy","severity":"ERROR","req":{"method":"POST","url":"/api/v1/integratio -auth/oauth-token","hostname":"infisical.k8s-home.local.REDACTED.com","remoteAddress":"10.100.10.146","remotePort":52140},"res":{"statusCode":500},"err":{"message":"Request failed with status code 400","name":"AxiosError","stack":"AxiosError: Request failed with status code 400\n    at settle (file:///backend/node_modules/axios/lib/core/settle.js:19:12)\n    at IncomingMessage.handleStreamEnd (file:///backend/node_modules/axios/lib/adapters/http.js:589:11)\n    at IncomingMessage.emit (node:events:530:35)\n    at IncomingMessage.emit (node:domain:488:12)\n    at endReadableNT (node:internal/streams/readable:1696:12)\n    at process.processTicksAndRejections (node:internal/process/task_queues:82:21)\n    at Axios.request (file:///backend/node_modules/axios/lib/core/Axios.js:45:41)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async exchangeCodeGitlab (file:///backend/dist/services/integration-auth/integration-token.mjs:154:16)\n    at async Object.oauthExchange (file:///backend/dist/services/integration-auth/integration-auth-service.mjs:51:27)\n    at async Object.handler (file:///backend/dist/server/routes/v1/integration-auth-router.mjs:214:31)","config":{"transitional":{"silentJSONParsing":true,"forcedJSONParsing":true,"clarifyTimeoutError":false},"adapter":["xhr","http"],"transformRequest":[null],"transformResponse":[null],"timeout":0,"xsrfCookieName":"XSRF-TOKEN","xsrfHeaderName":"X-XSRF-TOKEN","maxContentLength":-1,"maxBodyLength":-1,"env":{},"headers":{"Accept":"application/json, text/plain, */*","Content-Type":"application/x-www-form-urlencoded;charset=utf-8","Accept-Encoding":"application/json","User-Agent":"axios/1.6.7","Content-Length":"320"},"method":"post","url":"https://gitlab.local.REDACTED.com/oauth/token","data":"grant_type=authorization_code&code=9267af08adbb312ccd049f80417648a62967a124791dcde1d9168cf764317dcb&client_id=67a9b665c6c97b1e790d8b68c5850418c04d2b3de76fa56092863597377108d6&client_secret=REDACTED&redirect_uri=undefined%2Fintegrations%2Fgitlab%2Foauth2%2Fcallback","axios-retry":{"retries":3,"shouldResetTimeout":false,"retryCount":0,"lastRequestTime":1716746520752}},"code":"ERR_BAD_REQUEST","status":400},"msg":"Request failed with status code 400"}

[sheensantoscapadngan]

Hey @rwarford, upon checking your logs I noticed that redirect_uri is undefined. Is this correct?

[rwarford]

@sheensantoscapadngan Interesting. No, it's not null (at least the redirect_uri's that I'm aware of are not "undefined").
The URL in the address bar for GitLab when I'm at the "Authorize Inficisal to use your account" in GitLab is:

https://gitlab.local.DOMAIN.com/oauth/authorize?client_id=67a9b665c6c97b1e790d8b68c5850418c04d2b3de76fa56092863597377108d6&redirect_uri=https://infisical.local.DOMAIN.com/integrations/gitlab/oauth2/callback&response_type=code&state=e9865fc77722a2029b283fa39b97108e|https://gitlab.local.DOMAIN.com

The url for the redirect_uri parameter is correct (I think!).

The URI for Redirect URI in the GitLab Application configuration is:

https://infisical.local.DOMAIN.com/integrations/gitlab/oauth2/callback

Based on the "Self-Hosted Setup" tab of https://infisical.com/docs/integrations/cicd/gitlab I believe that is correct.

[sheensantoscapadngan]

The url for the redirect_uri parameter is correct (I think!).

ahhh... I think what's undefined in the log is your SITE_URL. can you double check if you've added that ENV? It should be present in your running infisical instance

If possible, can you send an updated log?

[rwarford]

ahhh... I think what's undefined in the log is your SITE_URL. can you double check if you've added that ENV? It should be present in your running infisical instance

That was it! Thank you.

I missed the "Learn more about configuration settings" link on https://infisical.com/docs/self-hosting/deployment-options/kubernetes-helm.

It might be helpful to highlight the need for SITE_URL in section 2 of https://infisical.com/docs/integrations/cicd/gitlab#pipeline under "Self-Hosted Setup" for people like me who shoot first and read later! :).

That section calls out CLIENT_ID_GITLAB and CLIENT_SECRET_GITLAB but doesn't mention SITE_URL.

Thanks again for your help!