Unable to acquire VCS Auth Token from GitLab: Parameter "state" is missing

Created December 03, 2025 11:05

Hi, I have a problem getting VCS Auth Tokens to work. I've added a GitLab CE/EE connection to my root project and configured my self hosted GitLab accordingly.
When adding a VCS Auth Token, GitLab aks me to login and afterwards redirects me to /oauth/gitlab/accessToken.html on my TeamCity server.
Then, TeamCity returns the following error:

Parameter "state" is missing. Make sure to use the configured OAuth redirect URL to start the OAuth flow.

The state URL parameter is however present. When I remove it, the error message changes:

Invalid state. Make sure to use the configured OAuth redirect URL to start the OAuth flow.

TeamCity is running in Docker behind an nginx reverse proxy, so I verified the following:

The reverse proxy does not mess with the URL in any way (no "normalization", the state parameter is present with the URL escapes intact)
X-Forwarded-Host, X-Forwarded-Proto and X-Forwarded-For are passed to TeamCity. X-Forwarded-Host/X-Forwarded-Proto match the value in Global Settings -> Server URL: "https://teamcity.intranet"
Both RememberMe and TCSESSIONID cookies are passed to TeamCity

Here's the raw request nginx makes to the TeamCity server:

GET /oauth/gitlab/accessToken.html?code=[...]&state=[...] HTTP/1.1
Host: teamcity:8111
X-Forwarded-Host: teamcity.intranet
X-Forwarded-Proto: https
X-Forwarded-For: 10.13.99.194
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Cookie: RememberMe=[...]; TCSESSIONID=[...]
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i

As there is no more error information anywhere (I've checked the logs and only found the same message), I'm out of ideas on how to troubleshoot this any further.
I'm running TeamCity 2025.11.

Any help would be much appreciated.

1 comment

Nico

Created December 10, 2025 09:01

For anybody with the same issue:

It is crucial that the configured “Server URL” matches the URL in your browser. In my case, I had the last domain part configured as DNS search domain and omitted it in the browser (as is common with company networks). Using the full domain name fixed the issue.

Please sign in to leave a comment.