Error 500 during OpenID authentication

Hello everyone,

Here is my problem:
I’m trying to link my Gitlab server with my Keycloak server so I can connect in single sign-on.

With the documentation of the official Gitlab website, I have configured the gitlab.rb file.

I had a first problem that I solved by disabling the “discovery” parameter. I changed it to “false”.

Now I can access the authentication page of my SSO server, but when I enter my credentials, the error 500 appears : “Whoops, something went wrong on your end”.

When I go to the “production.log” I discover the following errors:

  • SSLError (self signed certificate)
    or
  • ArgumentError (request URI must have schema. possibly add “http://”)

Does anyone have an idea?

Thanks for your help!

Matthieu

I’m seeing the same problem with ArgumentError (not the SSLError). I’m on the latest GitLab version with an Omnibus installation and the full log looks like this:

Started POST "/users/auth/openid_connect" for 1.2.3.37 at 2022-08-15 16:10:24 +0200
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
  Parameters: {"authenticity_token"=>"[FILTERED]"}
Completed 200 OK in 0ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 184)
Started GET "/users/auth/openid_connect/callback?code=[FILTERED]&state=3ef8a5660be9cf9aaf21a9d74937819e" for 1.2.3.37 at 2022-08-15 16:10:24 +0200

ArgumentError (Request URI must have schema. Possibly add 'http://' to the request URI?):

lib/gitlab/middleware/memory_report.rb:13:in `call'
lib/gitlab/middleware/speedscope.rb:13:in `call'
lib/gitlab/database/load_balancing/rack_middleware.rb:23:in `call'
lib/gitlab/jira/middleware.rb:19:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:21:in `call'
lib/gitlab/middleware/query_analyzer.rb:11:in `block in call'
lib/gitlab/database/query_analyzer.rb:37:in `within'
lib/gitlab/middleware/query_analyzer.rb:11:in `call'
lib/gitlab/middleware/multipart.rb:173:in `call'
lib/gitlab/middleware/read_only/controller.rb:50:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/same_site_cookies.rb:27:in `call'
lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'
lib/gitlab/middleware/request_context.rb:21:in `call'
lib/gitlab/middleware/webhook_recursion_detection.rb:15:in `call'
config/initializers/fix_local_cache_middleware.rb:11:in `call'
lib/gitlab/middleware/compressed_json.rb:26:in `call'
lib/gitlab/middleware/rack_multipart_tempfile_factory.rb:19:in `call'
lib/gitlab/middleware/sidekiq_web_static.rb:20:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:77:in `call'
lib/gitlab/middleware/release_env.rb:13:in `call'

The remote server first receives a GET request /oauth/authorize?client_id=[REDACTED]&nonce=[REDACTED]&redirect_uri=https%3A%2F%2Fgitlab.example.com%2Fusers%2Fauth%2Fopenid_connect%2Fcallback&response_type=code&scope=openid%20profile%20email&state=5016e686e867ae966f1696dd483d8ff3 and responds with a 302, then it receives a POST request to /oauth/token where it responds with a 200. In both cases, it’s completely happy with all the arguments and has no warnings or errors in its log.

But the GitLab server somehow struggles with a request that seems to be missing the schema, although the schema is available in the redirect argument.