github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-21 11:55:31 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

OIDC custom url for token and auth #12514

New Issue
Open
opened 2025-11-02 10:12:23 -06:00 by GiteaMirror · 2 comments
GiteaMirror commented 2025-11-02 10:12:23 -06:00
Owner
Copy Link

Originally created by @adriy-be on GitHub (Feb 22, 2024).

Feature Description

Hi,
I have deployed zitadel to have an SSO with OpenID in my home lab.
So due it's a container I want to put a custom url for token and auth.
The internal communication between gitea and zitadel is on a dedicated docker network and use http on port 8080 but the communication with the user use external network (wan) who use https.
For example, in nextcloud there is my config :
Auth url : https://sso.my.domain/oauth/v2/authorize
Token url : http://sso.my.domain:8080/oauth/v2/token

Also, there is my https://sso.my.domain/.well-known/openid-configuration

{"issuer":"https://sso.my.domain","authorization_endpoint":"https://sso.my.domain/oauth/v2/authorize","token_endpoint":"https://sso.my.domain/oauth/v2/token","introspection_endpoint":"https://sso.my.domain/oauth/v2/introspect","userinfo_endpoint":"https://sso.my.domain/oidc/v1/userinfo","revocation_endpoint":"https://sso.my.domain/oauth/v2/revoke","end_session_endpoint":"https://sso.my.domain/oidc/v1/end_session","device_authorization_endpoint":"https://sso.my.domain/oauth/v2/device_authorization","jwks_uri":"https://sso.my.domain/oauth/v2/keys","scopes_supported":["openid","profile","email","phone","address","offline_access"],"response_types_supported":["code","id_token","id_token token"],"grant_types_supported":["authorization_code","implicit","refresh_token","client_credentials","urn:ietf:params:oauth:grant-type:jwt-bearer","urn:ietf:params:oauth:grant-type:device_code"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"request_object_signing_alg_values_supported":["RS256"],"token_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post","private_key_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"revocation_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post","private_key_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["RS256"],"introspection_endpoint_auth_methods_supported":["client_secret_basic","private_key_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["sub","aud","exp","iat","iss","auth_time","nonce","acr","amr","c_hash","at_hash","act","scopes","client_id","azp","preferred_username","name","family_name","given_name","locale","email","email_verified","phone_number","phone_number_verified"],"code_challenge_methods_supported":["S256"],"ui_locales_supported":["bg","cs","de","en","es","fr","it","ja","mk","nl","pl","pt","ru","zh"],"request_parameter_supported":true,"request_uri_parameter_supported":false}

Thanks

Screenshots

No response

Originally created by @adriy-be on GitHub (Feb 22, 2024). ### Feature Description Hi, I have deployed zitadel to have an SSO with OpenID in my home lab. So due it's a container I want to put a custom url for token and auth. The internal communication between gitea and zitadel is on a dedicated docker network and use http on port 8080 but the communication with the user use external network (wan) who use https. For example, in nextcloud there is my config : Auth url : https://sso.my.domain/oauth/v2/authorize Token url : http://sso.my.domain:8080/oauth/v2/token Also, there is my https://sso.my.domain/.well-known/openid-configuration ```json {"issuer":"https://sso.my.domain","authorization_endpoint":"https://sso.my.domain/oauth/v2/authorize","token_endpoint":"https://sso.my.domain/oauth/v2/token","introspection_endpoint":"https://sso.my.domain/oauth/v2/introspect","userinfo_endpoint":"https://sso.my.domain/oidc/v1/userinfo","revocation_endpoint":"https://sso.my.domain/oauth/v2/revoke","end_session_endpoint":"https://sso.my.domain/oidc/v1/end_session","device_authorization_endpoint":"https://sso.my.domain/oauth/v2/device_authorization","jwks_uri":"https://sso.my.domain/oauth/v2/keys","scopes_supported":["openid","profile","email","phone","address","offline_access"],"response_types_supported":["code","id_token","id_token token"],"grant_types_supported":["authorization_code","implicit","refresh_token","client_credentials","urn:ietf:params:oauth:grant-type:jwt-bearer","urn:ietf:params:oauth:grant-type:device_code"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"request_object_signing_alg_values_supported":["RS256"],"token_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post","private_key_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"revocation_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post","private_key_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["RS256"],"introspection_endpoint_auth_methods_supported":["client_secret_basic","private_key_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["sub","aud","exp","iat","iss","auth_time","nonce","acr","amr","c_hash","at_hash","act","scopes","client_id","azp","preferred_username","name","family_name","given_name","locale","email","email_verified","phone_number","phone_number_verified"],"code_challenge_methods_supported":["S256"],"ui_locales_supported":["bg","cs","de","en","es","fr","it","ja","mk","nl","pl","pt","ru","zh"],"request_parameter_supported":true,"request_uri_parameter_supported":false} ``` Thanks ### Screenshots _No response_
GiteaMirror added the type/proposal label 2025-11-02 10:12:23 -06:00
GiteaMirror commented 2025-11-02 10:12:24 -06:00
Author
Owner
Copy Link

@adriy-be commented on GitHub (Feb 22, 2024):

I have changed my configuration of zitadel to always use https also for internal container communication.
That working, but I think have the possibility to have a custom url should be nice in certain case.

My case is 3 containers, caddy (acme/https), zitadel(sso/openid), and gitea. Both are interconnected with a docker network but only caddy can discuss with the worl on the port 443 and 80.

@adriy-be commented on GitHub (Feb 22, 2024): I have changed my configuration of zitadel to always use https also for internal container communication. That working, but I think have the possibility to have a custom url should be nice in certain case. My case is 3 containers, caddy (acme/https), zitadel(sso/openid), and gitea. Both are interconnected with a docker network but only caddy can discuss with the worl on the port 443 and 80.
GiteaMirror commented 2025-11-02 10:12:25 -06:00
Author
Owner
Copy Link

@buckybytes commented on GitHub (Mar 9, 2024):

It's possible your meaning was lost in translation, but this seems like this is just a matter of configuring DNS within your internal Docker network. As far as Gitea is concerned, you can set your endpoint URL's to whatever you like for an authentication source:

image

@buckybytes commented on GitHub (Mar 9, 2024): It's possible your meaning was lost in translation, but this seems like this is just a matter of configuring DNS within your internal Docker network. As far as Gitea is concerned, you can set your endpoint URL's to whatever you like for an authentication source: ![image](https://github.com/go-gitea/gitea/assets/158571971/49f447f1-8701-4946-a92f-a5d5ce4e253d)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/proposal
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#12514
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?