I set up a new GitLab instance on a VM, and linked it with my company’s Azure AD. I was able to log in with Azure AD one time, but now I can’t. I get an HTTP 500 error in GitLab, and when I click Go Back, it tells me my code was redeemed.
Here’s the error:
Could not authenticate you from AzureOauth2 because "Invalid grant: aadsts54005: oauth2 authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. trace id: 707983fd-2e41-4d20-8258-0e220d954800 correlation id: 79c299c7-ed0e-46ef-a72a-0ff99ce27c42 timestamp: 2019-08-22 21:31:11z {"error":"invalid grant","error description":"aadsts54005: oauth2 authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.
trace id: 707983fd-2e41-4d20-8258-0e220d954800
correlation id: 79c299c7-ed0e-46ef-a72a-0ff99ce27c42
timestamp: 2019-08-22 21:31:11z","error codes":[54005],"timestamp":"2019-08-22 21:31:11z","trace id":"707983fd-2e41-4d20-8258-0e220d954800","correlation id":"79c299c7-ed0e-46ef-a72a-0ff99ce27c42"}".`
And here’s my configuration:
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['azure_oauth2']
gitlab_rails['omniauth_sync_email_from_provider'] = ['azure_oauth2']
gitlab_rails['omniauth_sync_profile_from_provider'] = ['azure_oauth2']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email', 'location', 'name']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'azure_oauth2'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_external_providers'] = false
gitlab_rails['omniauth_providers'] = [{
"name" => "azure_oauth2",
"args" => {
"client_id" => "",
"client_secret" => "",
"tenant_id" => ""
}
}]
Of course, like an idiot, I disabled password sign-in/registration, so Azure AD is the only way into GitLab. (Thankfully, there’s nothing in there yet.)