fix: Woodpecker token auto-generation fails — OAuth2 redirect URI mismatch #172

New issue

Closed

opened 2026-04-03 06:19:42 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-03 06:19:42 +00:00

Collaborator

Problem

disinto init fails to auto-generate the Woodpecker CI token. The init output shows:

Warning: could not obtain Woodpecker token — skipping token generation

Woodpecker logs show the underlying error:

{"level":"error","error":"oauth2: \"unauthorized_client\" \"unexpected redirect URI\"","time":"...","message":"cannot authenticate user"}

Without WOODPECKER_TOKEN in .env, the subsequent activate_woodpecker_repo also fails, leaving CI completely unconfigured.

Root cause

The OAuth2 redirect URI mismatch between Forgejo and Woodpecker. During create_woodpecker_oauth(), the OAuth2 app is registered on Forgejo with a callback URL. When the generate_woodpecker_token() function later drives the OAuth2 flow, Woodpecker sends a redirect URI that does not match what Forgejo has registered.

This is likely caused by the Docker-internal hostname (http://woodpecker:8000) being used in one place and the host-accessible URL (http://localhost:8000) in another. The generate_woodpecker_token() function already has URL-rewriting logic (lines ~1592-1601) to translate between these, but the mismatch still occurs — suggesting the registered callback URL and the actual redirect URI diverge.

Steps to reproduce

docker compose down -v && rm -f .env
bin/disinto init https://codeberg.org/johba/harb --branch master --yes
# Output includes: "Warning: could not obtain Woodpecker token"
grep WOODPECKER_TOKEN .env  # not present

Debugging info

Woodpecker v3.14.0-rc.0
Forgejo 11.0
WOODPECKER_HOST and WOODPECKER_FORGE_OAUTH_CLIENT are set in .env by create_woodpecker_oauth()
The OAuth2 app is created on Forgejo with client_id visible in init output

Files

bin/disinto — create_woodpecker_oauth() (registers the OAuth2 app) and generate_woodpecker_token() (drives the OAuth2 flow)
docker-compose.yml — Woodpecker service environment variables

## Problem `disinto init` fails to auto-generate the Woodpecker CI token. The init output shows: ``` Warning: could not obtain Woodpecker token — skipping token generation ``` Woodpecker logs show the underlying error: ```json {"level":"error","error":"oauth2: \"unauthorized_client\" \"unexpected redirect URI\"","time":"...","message":"cannot authenticate user"} ``` Without `WOODPECKER_TOKEN` in `.env`, the subsequent `activate_woodpecker_repo` also fails, leaving CI completely unconfigured. ## Root cause The OAuth2 redirect URI mismatch between Forgejo and Woodpecker. During `create_woodpecker_oauth()`, the OAuth2 app is registered on Forgejo with a callback URL. When the `generate_woodpecker_token()` function later drives the OAuth2 flow, Woodpecker sends a redirect URI that does not match what Forgejo has registered. This is likely caused by the Docker-internal hostname (`http://woodpecker:8000`) being used in one place and the host-accessible URL (`http://localhost:8000`) in another. The `generate_woodpecker_token()` function already has URL-rewriting logic (lines ~1592-1601) to translate between these, but the mismatch still occurs — suggesting the registered callback URL and the actual redirect URI diverge. ## Steps to reproduce ```bash docker compose down -v && rm -f .env bin/disinto init https://codeberg.org/johba/harb --branch master --yes # Output includes: "Warning: could not obtain Woodpecker token" grep WOODPECKER_TOKEN .env # not present ``` ## Debugging info - Woodpecker v3.14.0-rc.0 - Forgejo 11.0 - `WOODPECKER_HOST` and `WOODPECKER_FORGE_OAUTH_CLIENT` are set in `.env` by `create_woodpecker_oauth()` - The OAuth2 app is created on Forgejo with client_id visible in init output ## Files - `bin/disinto` — `create_woodpecker_oauth()` (registers the OAuth2 app) and `generate_woodpecker_token()` (drives the OAuth2 flow) - `docker-compose.yml` — Woodpecker service environment variables