Authentication on MS Azure (Entra) fails after updating app secret

We’re using omniauth to authenticate users via the azure_activedirectory_v2 method, and our app secret was close to expiring, so I updated it earlier today. (Something we’ve done multiple times before)

But, after updating, Azure AD login does not work anymore, GitLab throws a Invalid client: aadsts7000215: invalid client secret provided error when trying to authenticate using Azure.

I’ve tried using the app and secret in a test app, and I can retrieve a token via a client_credential flow without error, so the secret clearly works.

As mentioned, this is not a new install, nothing has changed except the secret which was copied using builtin Azure Portal functionality and tested in another app to actually function. (Though i’m not sure what flow GitLab uses)

We are running GitLab Enterprise Edition v16.4.1-ee.

Just generic suggestions here, but have you run gitlab-ctl reconfigure? Or have you tried to restart GitLab?

Looking around there also seems to be issues if there is “+” in the token value. Try to generate a new one.

I’ve both done gitlab-ctl reconfigure, restart and in a desperate effort, rebooted the box, still did not work.

The secret does contain a ~, no +es, but I am pretty sure that the old token contained a ~ as well.