Fix OAuth configuration errors
Fix OAuth configuration errors when connecting Che to Git providers by verifying callback URLs, Secret labels, GitLab scopes, and Bitbucket public keys.
Callback URL mismatch
Every Git provider OAuth application requires a callback URL that matches your Che instance. If the callback URL is wrong, authentication fails after the user authorizes the application.
The correct callback URL for all providers is:
{prod-url}/api/oauth/callback
Verify this value in your Git provider OAuth application settings:
-
GitHub: Authorization callback URL field
-
GitLab: Redirect URI field
-
Bitbucket Cloud: Callback URL field
-
Bitbucket Server (OAuth 2.0): Redirect URL field
-
Microsoft Azure DevOps: Redirect URI registered in Microsoft Entra ID
Secret labels and namespace
The Kubernetes Secret that stores the OAuth credentials must have the correct labels and be in the correct namespace. If the labels or namespace are wrong, Che does not detect the OAuth configuration.
metadata:
namespace: {prod-namespace}
labels:
app.kubernetes.io/part-of: che.eclipse.org
app.kubernetes.io/component: oauth-scm-configuration
GitLab scope requirements
The GitLab authorized application must have the following scopes enabled. Missing scopes cause permission errors when developers push code or access repositories:
-
api -
write_repository -
openid
Bitbucket Server OAuth 1.0 public key
Bitbucket Server application links using OAuth 1.0 require an RSA public key. If the public key is missing or incorrectly formatted, authentication fails silently.
Verify that the content of the public-stripped.pub file (generated during setup) is pasted into the Public Key field of the incoming link configuration on Bitbucket Server.