Oauth2_generic: invalid oauthscope

I am running a self hosted GitLab 15.5.4 and trying to use ‘oauth2_generic’ for authentication. The configuration in gitlab.rb is given below.

### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html
# gitlab_rails['omniauth_enabled'] = nil
gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic']
# gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
# gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
# gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = true
# gitlab_rails['omniauth_auto_link_ldap_user'] = false
# gitlab_rails['omniauth_auto_link_saml_user'] = false
gitlab_rails['omniauth_auto_link_user'] = ['oauth2_generic']
gitlab_rails['omniauth_external_providers'] = ['oauth2_generic']
gitlab_rails['omniauth_allow_bypass_two_factor'] = ['oauth2_generic']
gitlab_rails['omniauth_providers'] = [
  {
    "name" => "oauth2_generic",
    "label" => "Zoho",
    "app_id" => "ID TOKEN",
    "app_secret" => "SECRET TOKEN",
    "args" => {
      "site" => "https://accounts.zoho.in/oauth/v2/auth",
      "access_type" => "offline",
      "approval_prompt" => "",
      "client_options" => {
        "site" => "https://accounts.zoho.in",
        "user_info_url" => "/oauth/user/info",
        "authorize_url" => "/oauth/v2/auth",
        "token_url" => "/oauth/v2/token"
      },
      "user_response_structure" => {
        "root_path" => [],
        "id_path" => ["sub"],
        "attributes" => {
          "email" => "email",
          "name" => "name"
        }
      },
      authorize_params: {
        "scope" => "openid profile email"
      },
      "strategy_class" => "OmniAuth::Strategies::OAuth2Generic"
    }
  }
]

The OAuth login attempt with this configuration fails with below error message on the browser.

Could not authenticate you from OAuth2Generic because "{"response":"error","cause":"invalid oauthscope"} ".

The log files does not contain much information

production.log

Started POST "/users/auth/oauth2_generic" for <IP> at 2023-07-27 02:47:17 +0000
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
  Parameters: {"authenticity_token"=>"[FILTERED]"}
Completed 200 OK in 1ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 107)
Started GET "/users/auth/oauth2_generic/callback?state=78a936c8d4466cfbb5dc0f9cc01fa5a071d57d941f&code=[FILTERED]&location=in&accounts-server=https%3A%2F%2Faccounts.zoho.in" for <IP> at 2023-07-27 02:47:18 +0000
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"state"=>"78a936c8d4466cfbb5dc0f9cc01fa5a071d57d941f", "code"=>"[FILTERED]", "location"=>"in", "accounts-server"=>"https://accounts.zoho.in"}
Redirected to https://website/users/sign_in
Completed 302 Found in 42ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 6052)
Started GET "/-/metrics" for 127.0.0.1 at 2023-07-27 02:47:19 +0000
Processing by MetricsController#index as HTML

application.log

2023-07-27T02:47:17.127Z: (oauth2_generic) Request phase initiated.
2023-07-27T02:47:18.803Z: (oauth2_generic) Callback phase initiated.
2023-07-27T02:47:19.175Z: (oauth2_generic) Authentication failure! invalid_credentials: OAuth2::Error, {"response":"error","cause":"INVALID_OAUTHSCOPE"}

What could be the reason of this “invalid oauthscope” error?

That error is returned from Zoho, please refer to their documentation what should be the requested scopes in scope parameter.

Finally figured it out. Zoho had little different requirement for scope parameter. Following configuration worked.

"scope" => "email,AAAServer.profile.READ"