Unable to establish GitLab Jira Development Panel integration - invalid OAuth scope?

geir.amdal · September 29, 2020, 12:50pm

Unable to establish integration from Jira to self-managed GitLab 13.4.1 (Core)

I am trying to connect Jira to GitLab to establish a Development Panel integration, so GitLab commits etc. are displayed on issues in Jira.

Currently following the instructions listed in https://docs.gitlab.com/ee/integration/jira_development_panel.html, which instructs one to:

create a user (“jira”) in GitLab for use as an integration user
while signed in to this user, create an application definition (e.g. “Jira”) under this this user, enabling ‘api’ (OAuth) scope access

Both of these steps have been completed, and OAuth client ID and secret has been created.

Next, one is to go to Jira, go to Settings (gear) > Applications > DVCS accounts, and create a new DVCS connection of type “GitHub Enterprise”.

However, when I do this in the manner described in the documentation (specifying Host URL, Client ID and Client Secret (using Application ID and Secret from the GitLab application) value from the previous section, I receive an error in the GitLab UI: “The requested scope is invalid, unknown, or malformed.”

Checking the URL in the address bar, I see the last GET parameter is: scope=repo

Since the functionality for integrating with Jira was only recently added, is it possible some bugs remain? Or is it the mechanism in Jira that has changed?

Changing the value of ‘scope’ in the URL to ‘api’ causes a dialogue to pop up, prompting me to authorize access to ‘api’ scope. Accepting this causes other errors later on in the process, but I am assuming that is caused by missing data or other gaps in the flow.

Since the docs specify that the application context should have ‘api’ scope access, I would expect the incoming request from Jira to ask for scope ‘api’ rather than ‘repo’…

My main question is: Have I made a mistake in setting up the integration, or is it not working as intended (i.e. a bug)?

leiiel · September 30, 2020, 3:10pm

I am also having the same problem. I’ve tried adding more scopes in the Gitlab application, unticking Auto link Repository checkbox, but still no luck. It either creates an empty DVCS account with no linked repositories (error retrieving list of repositories), or the process hangs at the last step.

Also I noticed that the URL of Visit Account link for the DVCS account is incorrect - the group part of the URL is missing.

geir.amdal · October 1, 2020, 11:26am

@leiiel: Have you determined whether the incorrect URL(s) are being constructed by GitLab or Jira as part of the OAuth exchange?

leiiel · October 1, 2020, 10:57pm

@geir.amdal I didn’t get to the bottom of the incorrect URL, but I managed to get it working today (or at least the gitlab commit is linked to Jira).

It seems that you have to specify the top level of group in Team or User Account field, e.g., highlighted - gitlab.com/org/team/group. You can’t enter any values with slash, e.g., org/team/project-group/repo as it fails the field validation check. Make sure untick Auto Link Repository checkbox when creating a DVCS account, as you probably don’t want to automatically load all the repositories in your organisation. You will still have scope=repo problem in the URL. But as you suggested, it worked this time after changing its value to api. Once the DVCS account is created, you should be able to see all the repos under the top level group from the dropdown list and you can manually add your repos. Wait a few seconds and refresh the page, your repos should appear.

The result is not ideal (or not as good as I thought). You have to make sure to add references (Jira issue number, e.g., AB-123) in each commit message so it can reference back to Jira.

I just found out - DVCS connector, according to Jira, is an older piece of technologies Jira maintains. I started to question if this is the best solution, or how long Jira would support this feature.

I’ll continue using/testing it and see if there are any other limitations/issues.

P.S. - I’ve been also investigating other alternative options, e.g., Gitlab/Jira integration, Jigit.

ondrej.michalek · October 6, 2020, 6:57am

@leiiel this helped a ton! this seems like a recent bug, as this thread is not that old and for googling “The requested scope is invalid, unknown, or malformed.” this was almost the only result

jankindly · October 9, 2020, 6:43am

@leiiel thanks for the explanation, unfortunately the repositories are not listed with me. The user I took has admin rights. But neither the repository directly below the user nor the other repositories below the groups are shown. Is there anything else I need to know about visibility in Gitlab? Normally we have it organized like this group/subroup/project. Any ideas?

leiiel · October 12, 2020, 11:00am

@ondrej.michalek Glad to help. I hope Gitlab/Jira can fix this asap.

leiiel · October 12, 2020, 11:17am

@jankindly Did you see any error messages when you were creating DVCS acocunt?

I tested with Public and Private projects and both work.

jankindly · October 20, 2020, 7:33am

@leiiel

Yes I’m getting this message: Error!

Failed adding the account: [Error retrieving list of repositories]

The Account has Administrator Rights and I set the scope to API. Do I maybe need to open a specific port on the firewall?

leiiel · October 22, 2020, 12:48pm

@jankindly Try change Team or User Account to the topest level of your Gitlab (project) group. If your project A is under a subgroup, for example, gitlab.com/org/team/grp/projectA, enter org in that field when you create DVCS account.

jankindly · October 22, 2020, 1:45pm

@leiiel Sorry I don’t get it. I have group/subgroup/repository as Team/User Account I still get an error

geir.amdal · October 23, 2020, 11:08am

Recent update from Atlassian on establishing an integration between Jira and GitLab:

This guide will help you create the integration between Jira and GitLab, and then use GitLab as an account in the DVCS Connector. To create the integration, we’ll use the OAuth 2.0 library that’s available in Jira 8.10 and later, and Jira 8.5. This will help us get around the limited OAuth 2.0 functionality available in the GitHub implementation, and also let us use a standard feature across Jira and other Atlassian products.

We’re upgrading Jira to attempt the proposed integration procedure. Will update with findings.

leiiel · October 28, 2020, 10:08am

@jankindly

Sorry I don’t get it. I have group/subgroup/repository as Team/User Account I still get an error

I can only make it work by entering group as Team/User Account, then you need to manually add your repos.

jankindly · November 12, 2020, 7:02am

I finally got it running, but I had to install an OAuth 2.0 plugin. Here is the plugin:

And here are the instructions: https://confluence.atlassian.com/jiracore/integrating-jira-with-gitlab-1019398724.html

Then it also works with group/subgroup/project/repository

KubaR3IoT · November 23, 2020, 4:06pm

Is this possible with the atlassian-hosted version of Jira? I can’t seem to find where you can add a new Oauth2.0 integration.