anomalyco
Gitlab duo provider is not working with Self Hosted instances.
Description
I am using Opencode with a self hosted gitlab instance. I got an error when trying to send a message.
GitlabError: Failed to get direct access token: 403 Forbidden - {"Message":"403 Forbidden"}
I use the PAT method to login. (Even Gitlab show the token to be used recently).
Plugins
No response
OpenCode version
No response
Steps to reproduce
No response
Screenshot and/or share link
No response
Operating System
macos sonoma 14.8.2
Terminal
kitty / iterm2
This issue might be a duplicate of existing issues. Please check:
- #8367: GitLab Duo /models selection still responds as Claude 3.5 Sonnet - This issue also involves GitLab Duo provider problems with authentication/configuration
- #7455: [FEATURE]: Add GitLab Duo Agentic Chat Provider Support - The feature request tracking GitLab Duo support for both GitLab.com and self-hosted instances
- #8509: opencode error when starting the command - Another GitLab-related error ("TypeError: undefined is not an object (evaluating 'input.id')") that may be related
Feel free to ignore if none of these address your specific case.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@gaetan-puleo Could you please provide GitLab version you are currently running?
Thanks for posting the versions. They are relatively new, which is good. Could you please tell me if you use OAuth or PAT authentication? Could you please try both methods? If it's PAT, make sure it has API access, if PAT is old, try to create a new one and test it.
@vglafirov I created a PAT yesterday with API Access, but I couldn't use Oauth because OpenCode tried to log me in gitlab.com and not the self hosted instance. I'll try again
When using "opencode auth login" I can enter a gitlab instance URL. Ok we need to avoid using /connect when opencode is running.
"Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method."
I guess oauth is not possible with my instance
Yeah, for OAuth you might need to register your own application. I am currently investingating this. I will keep you posted.
Another question: Have you tried Duo-CLI ? Does this work for you? It doesn't mean we should not fix OpenCode, it's a part of debug process :) Trying to find the difference.
Another question: Have you tried Duo-CLI ? Does this work for you? It doesn't mean we should not fix OpenCode, it's a part of debug process :) Trying to find the difference.
I just connected duo cli to the instance and try to send a message, it works and it can find my project @vglafirov
@gaetan-puleo Have you used the same PAT for OpenCode and Duo Cli? Could you please check the instance feature flag agent_platform_claude_code if it's enabled or not?
the easiest way is to export GITLAB_TOKEN environment variable and try both cli's
Yep I use the same PAT. How can I see if this flag is enabled?
PS: I exported GITLAB_TOKEN in my local fish config file
You can do that through UI: Admin Area → Settings → General → Feature Flags You need to be an instance Admin though
You can do that through UI: Admin Area → Settings → General → Feature Flags You need to be an instance Admin though
I am not an admin :(
it's possible this flag can be off, the company doesn't toggle on the flags if not needed (security reasons)
Nevermind. Feature flags shouln't be the problem, since Duo Cli and OpenCode require the same flags. Have you set GITLAB_INSTANCE_URL environment variable properly? you shouln't have trailing backslash / at the end.
Something to check. As a potential root cause candidate. It seems environment variables names are different.
If users have set GITLAB_URL or GITLAB_BASE_URL for Duo CLI but NOT GITLAB_INSTANCE_URL for opencode, then:
- Duo CLI → connects to https://self-hosted.gitlab.com
- opencode → connects to https://gitlab.com (default)
The 403 error makes sense because:
1. opencode is sending the self-hosted token to gitlab.com
2. gitlab.com doesn't recognize that token → 403 Forbidden
I have a GITLAB_INSTANCE_URL variable with no trailing slash at the end (using https at the start)
my GITLAB_INSTANCE_URL is not https://company.gitlab.com url, The format is https://something.like.this.tld
Could you please also check if these curl commands working for you?
curl -X POST \
-H "Authorization: Bearer $GITLAB_TOKEN" \
-H "Content-Type: application/json" \
-d '{}' \
"$GITLAB_INSTANCE_URL/api/v4/ai/third_party_agents/direct_access"
curl -X POST \
-H "Authorization: Bearer $GITLAB_TOKEN" \
-H "Content-Type: application/json" \
-d '{"feature_flags":{"DuoAgentPlatformNext":true,"duo_agent_platform_agentic_chat":true,"duo_agent_platform":true}}' \
"$GITLAB_INSTANCE_URL/api/v4/ai/third_party_agents/direct_access"
I don't think it's the same endpoint for duo (vscode) and the official integration for opencode,
I vibe coded an integration using opencode, and I used a websocket endpoint to do the same. (/api/v4/ai/duo_workflows/ws)
Yeah it was really hacky and It worked really bad. @vglafirov
ChatOps may be? I need to understand if feature flag is enabled or not for the instance.
/chatops run feature get agent_platform_claude_code
My guess is this piece of the code from GitLab monolith
It's probably disabled by default on self-hosted instances.
condition(:third_party_agents_enabled) do
::Feature.enabled?(:agent_platform_claude_code, @user)
end
I don't have access to chatops too, I'm pretty sure this flag is disabled. We are really making sure, nothing is enabled if not "needed". Even mcps are not enabled for gitlab duo (vscode)