GitlabOAuth subgroup authentication problems

Hey everyone,

I’m having a 403 error when trying to authenticate. This is my config:

            - ***
            client_id: ***
            client_secret: ***
            oauth_callback_url: ***
            - aSubgroup
            - read_user
            - read_api
            - read_repository
            - openid
            - profile
            - email
            authenticator_class: gitlab

If I add the parent group, instead of a subgroup, then I can authenticate. I’m part of both groups. I’m an owner of the subgroup, and only a maintainer in the parent group. I’m also the admin user.

Is there any way to authenticate using the subgroup instead of the parent group? What am I missing?

On the off chance that some features didn’t land in your jupyterhub yet, what versions of gitlab and oauthenticator do you have?

I’m using the Helm chart version 1.1.1 and I’m using GitLab Enterprise Edition 14.2.0-pre :slight_smile:

OK, that ought to be enough :upside_down_face:

Do you specify the full subgroup path (parent_group/subgroup)? Can you try providing the group numerical id instead of its name (the ID visible at the gitlab group page)?

I’ve tried:

  • parentGroupId/subGroupId
  • parentGroupName/subGroupName
  • subGroupId
  • subGroupName
  • groupId
  • groupName

Using the groupId and groupName works fine. Everything else, fails.

Uhh, that seems weird, and I’m really unsure what is happening here.

Perhaps as an extra check, can you try getting the endpoint yourself? It should be something like https://your.gitlab.domain/api/v4/groups/<subgroup_id or parentGroupName%2FsubGroupName>/members/all/<your_id>?

1 Like

Yup, I’m there on both endpoints…

:frowning: I’m out of my depth here, sorry. The only remaining option that comes to mind is modifying the oauthenticator source so that you can see the query and the response in the logs.