github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-09 12:46:42 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Configure oauth2_client from env #13464

New Issue
Open
opened 2025-11-02 10:43:07 -06:00 by GiteaMirror · 5 comments
GiteaMirror commented 2025-11-02 10:43:07 -06:00
Owner
Copy Link

Originally created by @3isenHeiM on GitHub (Sep 6, 2024).

Description

I'm provisioning an OAuth2 (authentik) client using env variables in the docker compose file.

Here is the complete env variables I'm passing to the container :

 - GITEA__ENABLE_AUTO_REGISTRATION=true
 - GITEA__SECURITY__INSTALL_LOCK=true
- GITEA__openid__ENABLE_OPENID_SIGNIN=false
- GITEA__openid__ENABLE_OPENID_SIGNUP=false
- GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true
- GITEA__oauth2_client__ENABLE=true
- GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true
- GITEA__oauth2_client__REGISTER_EMAIL_CONFIRM=false
- GITEA__oauth2_client__PROVIDER_NAME=Authentik
- GITEA__oauth2_client__CLIENT_ID=<REDACTED>
- GITEA__oauth2_client__CLIENT_SECRET=<REDACTED>
- GITEA__oauth2_client__ISSUER_URL=https://auth.tld/application/o/gitea
- GITEA__oauth2_client__AUTO_DISCOVER_URL=https://auth.tld/application/o/gitea/.well-known/openid-configuration
- GITEA__oauth2_client__USE_ADMIN_GROUP=true
- GITEA__oauth2_client__OPENID_CONNECT_SCOPES=profile,email
- GITEA__oauth2_client__ACCOUNT_LINKING=auto
- GITEA__oauth2_client__USERNAME=preferred_username

These variable correclty populates the app.ini.

However I don't see the "Sign it with Oauth" button on the homepage.

What do I miss in my configuration ?

Thanks

Gitea Version

1.22.1

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

image

Git Version

No response

Operating System

No response

How are you running Gitea?

docker-compose

Database

MySQL/MariaDB

Originally created by @3isenHeiM on GitHub (Sep 6, 2024). ### Description I'm provisioning an OAuth2 ([authentik](https://docs.goauthentik.io/integrations/services/gitea/)) client using env variables in the docker compose file. Here is the complete env variables I'm passing to the container : ```yaml - GITEA__ENABLE_AUTO_REGISTRATION=true - GITEA__SECURITY__INSTALL_LOCK=true - GITEA__openid__ENABLE_OPENID_SIGNIN=false - GITEA__openid__ENABLE_OPENID_SIGNUP=false - GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION=true - GITEA__oauth2_client__ENABLE=true - GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION=true - GITEA__oauth2_client__REGISTER_EMAIL_CONFIRM=false - GITEA__oauth2_client__PROVIDER_NAME=Authentik - GITEA__oauth2_client__CLIENT_ID=<REDACTED> - GITEA__oauth2_client__CLIENT_SECRET=<REDACTED> - GITEA__oauth2_client__ISSUER_URL=https://auth.tld/application/o/gitea - GITEA__oauth2_client__AUTO_DISCOVER_URL=https://auth.tld/application/o/gitea/.well-known/openid-configuration - GITEA__oauth2_client__USE_ADMIN_GROUP=true - GITEA__oauth2_client__OPENID_CONNECT_SCOPES=profile,email - GITEA__oauth2_client__ACCOUNT_LINKING=auto - GITEA__oauth2_client__USERNAME=preferred_username ``` These variable correclty populates the `app.ini`. However I don't see the "Sign it with Oauth" button on the homepage. What do I miss in my configuration ? Thanks ### Gitea Version 1.22.1 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots ![image](https://github.com/user-attachments/assets/1cb9fe5a-c732-4ffd-9584-7550d5fabf3b) ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? docker-compose ### Database MySQL/MariaDB
GiteaMirror added the type/proposalissue/workaround labels 2025-11-02 10:43:07 -06:00
GiteaMirror commented 2025-11-02 10:43:08 -06:00
Author
Owner
Copy Link

@yp05327 commented on GitHub (Sep 9, 2024):

You should add Authentication Source in admin panel or using command line.
But it seems that we have no oauth2 provider for authentik.

ps: it is read/save in DB, not from the settings file (env)

@yp05327 commented on GitHub (Sep 9, 2024): You should add `Authentication Source` in admin panel or using command line. But it seems that we have no oauth2 provider for `authentik`. ps: it is read/save in DB, not from the settings file (env)
GiteaMirror commented 2025-11-02 10:43:08 -06:00
Author
Owner
Copy Link

@3isenHeiM commented on GitHub (Sep 9, 2024):

So no way to define this in a headless way ? Is env-to-ini not working ?

I could do it by modifying the docker file to add it via CLI though...

Anyway, authentik is just a standard OpenID provider, it should work ;)

@3isenHeiM commented on GitHub (Sep 9, 2024): So no way to define this in a headless way ? Is [env-to-ini](https://github.com/go-gitea/gitea/blob/main/contrib/environment-to-ini/environment-to-ini.go) not working ? I could do it by modifying the docker file to add it via CLI though... Anyway, authentik is just a standard OpenID provider, it _should_ work ;)
GiteaMirror commented 2025-11-02 10:43:09 -06:00
Author
Owner
Copy Link

@yp05327 commented on GitHub (Sep 10, 2024):

So no way to define this in a headless way ? Is env-to-ini not working ?

Actually, I can not found some settings like PROVIDER_NAME, ISSUER_URL.... in oauth2_client
Where did you find them?

The usable settings are here: https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini#L1552

I could do it by modifying the docker file to add it via CLI though

If you only want to add the oauth2 source, it will only work on the existing instance. as DB needs init first.
So for a new one, you should init the instance first, and of cause, this can be done by CLI.

Anyway, authentik is just a standard OpenID provider, it should work ;)

I think so. But maybe you need more settings in app.ini.
I didn't try it, maybe others can give you more advices.

@yp05327 commented on GitHub (Sep 10, 2024): > So no way to define this in a headless way ? Is [env-to-ini](https://github.com/go-gitea/gitea/blob/main/contrib/environment-to-ini/environment-to-ini.go) not working ? Actually, I can not found some settings like `PROVIDER_NAME`, `ISSUER_URL`.... in `oauth2_client` Where did you find them? The usable settings are here: https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini#L1552 > I could do it by modifying the docker file to add it via CLI though If you only want to add the oauth2 source, it will only work on the existing instance. as DB needs init first. So for a new one, you should init the instance first, and of cause, this can be done by CLI. > Anyway, authentik is just a standard OpenID provider, it should work ;) I think so. But maybe you need more settings in `app.ini`. I didn't try it, maybe others can give you more advices.
GiteaMirror commented 2025-11-02 10:43:09 -06:00
Author
Owner
Copy Link

@3isenHeiM commented on GitHub (Sep 10, 2024):

I don't recall where I found them.

Anyway, I ended up writing a python script to run the command afterwards.

For others having the same issue, here is the snippet:

#!/usr/bin/env python3

import docker
import time

# Get container by name
def find_container_by_name(client, container_name):
    # List all containers (including stopped ones)
    containers = client.containers.list(all=True)
    
    # Find container by name
    for container in containers:
        if container_name in container.name:
            return container
    return None

# Run command in container
def run_command(container, command):
    # Wait until the container is running
    while container.status != "running":
        print(f"Waiting for container '{container_name}' to be ready...")
        time.sleep(2)
        container.reload()  # Refresh container status
    
    print(f"Container '{container_name}' is running.")
    
    # Run the command inside the container
    exec_result = container.exec_run(command)
    print(f"Command output: {exec_result.output.decode('utf-8')}")



# Run the command to configure the OAUTH inside Gitea. 
# This can only be done via a CLI inside the container.
# Initialize Docker client
client = docker.from_env()

# Find container by name
container_name = "gitea-server"
gitea_container = find_container_by_name(client, container_name)
if gitea_container is None:
    print(f"Container '{container_name}' not found!")
    exit

command = """
su -c "gitea admin auth add-oauth --name Authentik \
--provider openidConnect --key """ + client_id + """ \
--secret """ + client_secret + """ \
--auto-discover-url """ + autodiscover_url + """ \
--icon-url """ + icon_url + """ \
--scopes profile,email" git
"""

run_command(gitea_container, command)

Maybe it could be good to have the feature to provide the DB from the config file, to allow for a headless configuration of the service with env variables.

@3isenHeiM commented on GitHub (Sep 10, 2024): I don't recall where I found them. Anyway, I ended up writing a python script to run the command afterwards. For others having the same issue, here is the snippet: ```python #!/usr/bin/env python3 import docker import time # Get container by name def find_container_by_name(client, container_name): # List all containers (including stopped ones) containers = client.containers.list(all=True) # Find container by name for container in containers: if container_name in container.name: return container return None # Run command in container def run_command(container, command): # Wait until the container is running while container.status != "running": print(f"Waiting for container '{container_name}' to be ready...") time.sleep(2) container.reload() # Refresh container status print(f"Container '{container_name}' is running.") # Run the command inside the container exec_result = container.exec_run(command) print(f"Command output: {exec_result.output.decode('utf-8')}") # Run the command to configure the OAUTH inside Gitea. # This can only be done via a CLI inside the container. # Initialize Docker client client = docker.from_env() # Find container by name container_name = "gitea-server" gitea_container = find_container_by_name(client, container_name) if gitea_container is None: print(f"Container '{container_name}' not found!") exit command = """ su -c "gitea admin auth add-oauth --name Authentik \ --provider openidConnect --key """ + client_id + """ \ --secret """ + client_secret + """ \ --auto-discover-url """ + autodiscover_url + """ \ --icon-url """ + icon_url + """ \ --scopes profile,email" git """ run_command(gitea_container, command) ``` Maybe it could be good to have the feature to provide the DB from the config file, to allow for a headless configuration of the service with env variables.
GiteaMirror commented 2025-11-02 10:43:09 -06:00
Author
Owner
Copy Link

@christophmatt1 commented on GitHub (Sep 6, 2025):

I would also support this feature request – especially for setups where only a single authentication source is used and should be enforced.

It would also be great to extend this by adding an option to automatically redirect users to the configured OAuth2/OpenID provider, instead of showing the default login page first. This would make the login flow more seamless in single-provider environments.

@christophmatt1 commented on GitHub (Sep 6, 2025): I would also support this feature request – especially for setups where only a single authentication source is used and should be enforced. It would also be great to extend this by adding an option to automatically redirect users to the configured OAuth2/OpenID provider, instead of showing the default login page first. This would make the login flow more seamless in single-provider environments.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label issue/workaround type/proposal
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#13464
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?