Disable password logins when oauth2 is used #11066

New Issue

Closed

opened 2025-11-02 09:26:36 -06:00 by GiteaMirror · 9 comments

GiteaMirror commented 2025-11-02 09:26:36 -06:00

Owner

Copy Link

Originally created by @luna-duclos on GitHub (Jun 20, 2023).

Feature Description

It would be great if gitea would allow me to disable password changes for users who's account has been created via an oauth2 login and disallow them to login using it even if they had set it.

As well as hide the relevant components of the web UI.

a PR for this was made in the past: #19344, but it seems it was closed without review. I was wondering if it would be something that is ok to potentially recontribute ?

Screenshots

No response

Originally created by @luna-duclos on GitHub (Jun 20, 2023). ### Feature Description It would be great if gitea would allow me to disable password changes for users who's account has been created via an oauth2 login and disallow them to login using it even if they had set it. As well as hide the relevant components of the web UI. a PR for this was made in the past: #19344, but it seems it was closed without review. I was wondering if it would be something that is ok to potentially recontribute ? ### Screenshots _No response_

GiteaMirror added the type/proposaltype/feature labels 2025-11-02 09:26:36 -06:00

GiteaMirror closed this issue 2025-11-02 09:26:36 -06:00

GiteaMirror commented 2025-11-02 09:26:37 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Jun 20, 2023):

Should that be an option of this OAuth2 source setting?

@lunny commented on GitHub (Jun 20, 2023): Should that be an option of this OAuth2 source setting?

GiteaMirror commented 2025-11-02 09:26:38 -06:00

Author

Owner

Copy Link

@silverwind commented on GitHub (Jun 20, 2023):

Has to be a global config option I assume as there can be multiple oauth sources etc. Also, it is quite a risky thing because if oauth provider is down, not even admin can log in.

@silverwind commented on GitHub (Jun 20, 2023): Has to be a global config option I assume as there can be multiple oauth sources etc. Also, it is quite a risky thing because if oauth provider is down, not even admin can log in.

GiteaMirror commented 2025-11-02 09:26:38 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Jun 21, 2023):

I do not think this issue can be resolved by "easy" patches.

See

• https://github.com/go-gitea/gitea/issues/24821

The first step IMO is to have a (nearly) complete design,to define the expected behaviors for various situations.

@wxiaoguang commented on GitHub (Jun 21, 2023): I do not think this issue can be resolved by "easy" patches. See * https://github.com/go-gitea/gitea/issues/24821 > The first step IMO is to have a (nearly) complete design,to define the expected behaviors for various situations.

GiteaMirror commented 2025-11-02 09:26:38 -06:00

Author

Owner

Copy Link

@luna-duclos commented on GitHub (Jun 21, 2023):

Has to be a global config option I assume as there can be multiple oauth sources etc. Also, it is quite a risky thing because if oauth provider is down, not even admin can log in.

As long as its an app.ini setting, whoever administers the instance could disable it again to log in as admin again, no ?

@luna-duclos commented on GitHub (Jun 21, 2023): > Has to be a global config option I assume as there can be multiple oauth sources etc. Also, it is quite a risky thing because if oauth provider is down, not even admin can log in. As long as its an app.ini setting, whoever administers the instance could disable it again to log in as admin again, no ?

GiteaMirror commented 2025-11-02 09:26:38 -06:00

Author

Owner

Copy Link

@jaltgen commented on GitHub (Jun 5, 2024):

I'd be in favor of this as well, Portainer has this option in the GUI, for example 👍 I understand it may not fit in the current scope of work or schedule, its just one of those small things that may increase security and make adoption with organisations easier?

@jaltgen commented on GitHub (Jun 5, 2024): I'd be in favor of this as well, Portainer has this option in the GUI, for example 👍 I understand it may not fit in the current scope of work or schedule, its just one of those small things that may increase security and make adoption with organisations easier?

GiteaMirror commented 2025-11-02 09:26:38 -06:00

Author

Owner

Copy Link

@gtherond commented on GitHub (Sep 9, 2024):

I'd like to second this as we exactly use that with our on-premise coder (coder.com) instance and it works like a bliss as we can still enable back the password based login by just switching back the environment variable to its default value.

This allows us (as long as with the disabled signup feature) to tightly control who access and sign in the forge.

Additionally, we're using a kubernetes deployment so switching back some env vars is swift and smooth without any visible interrupt for our users.

@gtherond commented on GitHub (Sep 9, 2024): I'd like to second this as we exactly use that with our on-premise coder (coder.com) instance and it works like a bliss as we can still enable back the password based login by just switching back the environment variable to its default value. This allows us (as long as with the disabled signup feature) to tightly control who access and sign in the forge. Additionally, we're using a kubernetes deployment so switching back some env vars is swift and smooth without any visible interrupt for our users.

GiteaMirror commented 2025-11-02 09:26:39 -06:00

Author

Owner

Copy Link

@phluxx commented on GitHub (Nov 9, 2024):

Third for this request

@phluxx commented on GitHub (Nov 9, 2024): Third for this request

GiteaMirror commented 2025-11-02 09:26:39 -06:00

Author

Owner

Copy Link

@Edo78 commented on GitHub (Jan 21, 2025):

I just installed gitea and I'm working through the configuration options to have it tailored to my needs.
I found

ENABLE_BASIC_AUTHENTICATION: true: Disable this to disallow authentication using HTTP BASIC and the user's password. Please note if you disable this you will not be able to access the tokens API endpoints using a password. Further, this only disables BASIC authentication using the password - not tokens or OAuth Basic.

ENABLE_PASSWORD_SIGNIN_FORM: true: Show the password login form (for password-based login). If you set it to false, maybe it also needs to set ENABLE_BASIC_AUTHENTICATION to false to completely disable password-based authentication.

but even with both set to false the login form is still there.
Then I came here searching for an answer but, while writing this comment, I noticed the latest helm chart is for version 1.22.3 while the latest gitea release is the 1.23.1 ... I forced the chart to use the latest release and the two options worked like a charm and the login form vanished ...

... so why is this issue still open? Am I missing something?

@Edo78 commented on GitHub (Jan 21, 2025): I just installed gitea and I'm working through the configuration options to have it tailored to my needs. I found ``` ENABLE_BASIC_AUTHENTICATION: true: Disable this to disallow authentication using HTTP BASIC and the user's password. Please note if you disable this you will not be able to access the tokens API endpoints using a password. Further, this only disables BASIC authentication using the password - not tokens or OAuth Basic. ENABLE_PASSWORD_SIGNIN_FORM: true: Show the password login form (for password-based login). If you set it to false, maybe it also needs to set ENABLE_BASIC_AUTHENTICATION to false to completely disable password-based authentication. ``` but even with both set to `false` the login form is still there. Then I came here searching for an answer but, while writing this comment, I noticed the latest helm chart is for version 1.22.3 while the latest gitea release is the 1.23.1 ... I forced the chart to use the latest release and the two options worked like a charm and the login form vanished ... ... so why is this issue still open? Am I missing something?

GiteaMirror commented 2025-11-02 09:26:39 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Jan 21, 2025):

Yes, I think this issue has been resolved in 1.23 (there are too many related issues, this one is missing to close)

Thank you for your feedback!

@wxiaoguang commented on GitHub (Jan 21, 2025): Yes, I think this issue has been resolved in 1.23 (there are too many related issues, this one is missing to close) Thank you for your feedback!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label type/feature type/proposal

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#11066