Open Bug 1751163 Opened 3 years ago Updated 3 years ago

Taskcluster authentication not working for certain Treeherder deployments

Categories

(Cloud Services :: Operations: Taskcluster, defect)

Product:
Cloud Services
Component:
Operations: Taskcluster
Type:
defect

Tracking

(Not tracked)

People

(Reporter: sclements, Unassigned)

Details

I've tried logging into Treeherder's prototype deployment but I get a blank page and an error when it tries to log into the firefox-ci taskcluster deployment. error:

code	"unauthorized_client"
name	"AuthorizationError"

This is the url I see when the error happens: https://firefox-ci-tc.services.mozilla.com/login/oauth/authorize?client_id=treeherder-dev-client&response_type=code&redirect_uri=https%3A%2F%2Fprototype.treeherder.nonprod.cloudops.mozgcp.net%2Ftaskcluster-auth&scope=hooks%3Atrigger-hook%3A*&state=rReBtWMpqlXo6aQN8EEcP

To confirm, it should be registered as:


- clientId: treeherder-dev-client
  scope: ["treeherder"]
  redirectUri: ['https://prototype.treeherder.nonprod.cloudops.mozgcp.net/taskcluster-auth.html']
  whitelisted: true
  responseType: 'code'
  maxExpires: '3 days'

The staging deployment has the same issue. The clientId should be treeherder-taskcluster-staging-client with redirectUri: [https://tc-staging.treeherder.nonprod.cloudops.mozgcp.net/taskcluster-auth.html]

Can someone please look into this?

Blocks: 1749962
Flags: needinfo?(cvalaas)

This look okay to you sclements?
https://github.com/mozilla-services/cloudops-infra/pull/3729

diff --git a/projects/taskcluster/k8s/values/clients-firefoxcitc.yaml b/projects/taskcluster/k8s/values/clients-firefoxcitc.yaml
index 203b49794..a76b443e9 100644
--- a/projects/taskcluster/k8s/values/clients-firefoxcitc.yaml
+++ b/projects/taskcluster/k8s/values/clients-firefoxcitc.yaml
@@ -81,7 +81,7 @@ rules:
                 maxExpires: 3 days
             -   clientId: treeherder-dev
                 scope:
-                - treeherder
+                - hooks:trigger-hook:*
                 redirectUri:
                 - https://prototype.treeherder.nonprod.cloudops.mozgcp.net/taskcluster-auth.html
                 whitelisted: true
@@ -89,7 +89,7 @@ rules:
                 maxExpires: 3 days
             -   clientId: treeherder-dev-client
                 scope:
-                - hooks:trigger-hook:*
+                - treeherder
                 redirectUri:
                 - https://prototype.treeherder.nonprod.cloudops.mozgcp.net/taskcluster-auth.html
                 whitelisted: true
Flags: needinfo?(cvalaas) → needinfo?(sclements)

Ah, I see the problem - I was getting confused by old entries (we used to have different routing with redirect uri's containting .html but those are obsolete now). I'll comment on your pr which to remove.

Flags: needinfo?(sclements)

PR updated. awaiting approvals

No longer blocks: 1749962
You need to log in before you can comment on or make changes to this bug.