github-starred/gitea-mirror
2
0
Fork 0
mirror of https://github.com/RayLabsHQ/gitea-mirror.git synced 2026-05-07 12:37:43 -05:00
Code Issues 103 Packages Projects Releases 93 Wiki Activity

[Bug] Known Issue with Better Auth SSO Plugin #29

New Issue
Closed
opened 2025-10-31 15:28:09 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2025-10-31 15:28:09 -05:00
Owner
Copy Link

Originally created by @arunavo4 on GitHub (Jul 26, 2025).

When configuring SSO providers in Gitea Mirror, the offline_access scope causes authentication failures with certain providers that don't support this OpenID Connect standard scope.

Affected Providers

  • Google OAuth - Returns error: Error 400: invalid_scope with message: 
    Access blocked: authorisation error
Some requested scopes were invalid. {valid=[openid, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile], invalid=[offline_access]}

Current Behavior

  • The application allows users to select offline_access scope for all providers
  • A warning message is displayed when Google is detected as the issuer
  • Users must manually deselect offline_access for incompatible providers

Expected Behavior

Users should be aware of which providers support offline_access scope to avoid authentication errors.

Workaround

When configuring Google OAuth or other providers that don't support offline_access:

Supported

Common SSO providers that support the offline_access scope:

  1. Microsoft/Azure AD - Supports offline_access for refresh tokens
  2. Auth0 - Supports offline_access
  3. Okta - Supports offline_access
  4. Keycloak - Supports offline_access
  5. AWS Cognito - Supports offline_access
  6. Ping Identity - Supports offline_access
  7. OneLogin - Supports offline_access
  8. Salesforce - Supports offline_access (as refresh_token)

Providers that don't support offline_access:

  • Google - Uses access_type=offline parameter instead
  • GitHub - No offline_access scope
  • GitLab - Uses different mechanism for refresh tokens

The offline_access scope is part of the OpenID Connect specification for requesting refresh tokens, allowing applications to obtain new access tokens without user interaction.

Better-Auth Ref Issue: https://github.com/better-auth/better-auth/issues/2360

Originally created by @arunavo4 on GitHub (Jul 26, 2025). When configuring SSO providers in Gitea Mirror, the `offline_access` scope causes authentication failures with certain providers that don't support this OpenID Connect standard scope. ## Affected Providers - **Google OAuth** - Returns error: `Error 400: invalid_scope` with message: ``` Access blocked: authorisation error Some requested scopes were invalid. {valid=[openid, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile], invalid=[offline_access]} ``` ## Current Behavior - The application allows users to select `offline_access` scope for all providers - A warning message is displayed when Google is detected as the issuer - Users must manually deselect `offline_access` for incompatible providers ## Expected Behavior Users should be aware of which providers support `offline_access` scope to avoid authentication errors. ## Workaround When configuring Google OAuth or other providers that don't support `offline_access`: ## Supported Common SSO providers that support the offline_access scope: 1. Microsoft/Azure AD - Supports offline_access for refresh tokens 2. Auth0 - Supports offline_access 3. Okta - Supports offline_access 4. Keycloak - Supports offline_access 5. AWS Cognito - Supports offline_access 6. Ping Identity - Supports offline_access 7. OneLogin - Supports offline_access 8. Salesforce - Supports offline_access (as refresh_token) Providers that don't support offline_access: - Google - Uses access_type=offline parameter instead - GitHub - No offline_access scope - GitLab - Uses different mechanism for refresh tokens The offline_access scope is part of the OpenID Connect specification for requesting refresh tokens, allowing applications to obtain new access tokens without user interaction. Better-Auth Ref Issue: https://github.com/better-auth/better-auth/issues/2360
GiteaMirror commented 2025-10-31 15:28:10 -05:00
Author
Owner
Copy Link

@arunavo4 commented on GitHub (Oct 22, 2025):

looks like the latest beta version solves this issue

@arunavo4 commented on GitHub (Oct 22, 2025): looks like the latest beta version solves this issue
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
documentation
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 question
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea-mirror#29
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?