Oauth2 OpenID Connect authentication source - redirect fails sending user to gitea instead of auth service resulting in 404 #13644

New Issue

GiteaMirror · 2025-11-02T10:49:13-06:00

GiteaMirror commented

2025-11-02 10:49:13 -06:00

Originally created by @hulto on GitHub (Oct 28, 2024).

Description

I'm trying to configure gitea with my vault server as an authentication source using Oauth2.
I followed the prompts under:
Identity & Access > Authentication Sources > Add Authentication Source

Authentication Type: OAuth2
Authentication Name: Vault2
OAuth2 Provider: OpenID Connect
Client ID (Key): wWOeykAzVxxRDJpQEGRVnuYtef0Au6HZ
Client Secret: [Redacted]
Skip local 2FA: True

When I login to gitea with my custom Oauth2 source.
Sign in > Sign in > Sign in with vault2

gitea redirects me to:
http:///<authorization_endpoint>
Instead of the expected:
https:///<authorization_endpoint>

Resulting in a 404.

Gitea Version

1.22.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

Auth source configuration

openid-configuration JSON

Signing in with OpenID vault2

Unexpected 404 error

http://git.galaxygridlabs.com:3000/ui/vault/identity/oidc/provider/default/authorize?client_id=wWOeykAzVxxRDJpQEGRVnuYtef0Au6HZ&redirect_uri=http%3A%2F%2Fgit.galaxygridlabs.com%3A3000%2Fuser%2Foauth2%2Fvault2%2Fcallback&response_type=code&scope=openid&state=b0ad9b74-e2a9-4d4f-ae54-6e9e6baff1ec

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker image docker.io/gitea/gitea:1.22.3@sha256:76f516a1a8c27e8f8e9773639bf337c0176547a2d42a80843e3f2536787341c6
Using GCP COS.

Setup with pulumi golang.

func NewGitea(ctx *pulumi.Context, gcpProject string, gcpRegion string, resourceId string) (*Gitea, error) {
	// Setup boiler plate
	gitRes := &Gitea{
		Id: resourceId,
	}

	err := ctx.RegisterComponentResource(fmt.Sprintf("pkg:index:gcp:Gitea:%s", resourceId), "gitea", gitRes)
	if err != nil {
		return nil, err
	}

	// Create gitea storage disk
	dataDisk, err := compute.NewDisk(ctx, "giteadata", &compute.DiskArgs{
		Size: pulumi.Int(giteaDataDiskSizeGB),
	})
	if err != nil {
		return nil, err
	}

	specStr := `
spec:
  containers:
  - name: gitea
    image: docker.io/gitea/gitea:1.22.3@sha256:76f516a1a8c27e8f8e9773639bf337c0176547a2d42a80843e3f2536787341c6
    env:
    - name: DISABLE_REGISTRATION
      value: 'true'
    - name: USER_UID
      value: '1000'
    - name: USER_GID
      value: '1000'
    volumeMounts:
    - name: pd-0
      readOnly: false
      mountPath: /data
    stdin: false
    tty: false
  volumes:
  - name: pd-0
    gcePersistentDisk:
      pdName: giteadata
      fsType: ext4
      partition: 0
      readOnly: false`

	containerSpec, err := common.NewSpec(ctx, "giteaspec", specStr, resourceId, nil)
	if err != nil {
		return nil, err
	}

	// Create new Container Optomized OS VM - running gitea
	instance, err := compute.NewInstance(ctx, "gitea", &compute.InstanceArgs{
		MachineType: pulumi.String("f1-micro"),
		BootDisk: compute.InstanceBootDiskArgs{
			InitializeParams: compute.InstanceBootDiskInitializeParamsArgs{
				Image: pulumi.String("projects/cos-cloud/global/images/cos-stable-113-18244-151-9"),
				Size:  pulumi.Int(10),
			},
		},
		AttachedDisks: compute.InstanceAttachedDiskArray{
			compute.InstanceAttachedDiskArgs{
				DeviceName: pulumi.String("giteadata"),
				Mode:       pulumi.String("READ_WRITE"),
				Source:     dataDisk.Name,
			},
		},
		NetworkInterfaces: compute.InstanceNetworkInterfaceArray{
			compute.InstanceNetworkInterfaceArgs{
				AccessConfigs: compute.InstanceNetworkInterfaceAccessConfigArray{
					&compute.InstanceNetworkInterfaceAccessConfigArgs{ // PREMIUM Tier doesn't allocate an ephemeral IP.
						NatIp:       pulumi.String(""),
						NetworkTier: pulumi.String("STANDARD"),
					},
				},
				Subnetwork: pulumi.String("default"),
				StackType:  pulumi.String("IPV4_ONLY"),
			},
		},
		ServiceAccount: compute.InstanceServiceAccountArgs{
			Scopes: pulumi.ToStringArray([]string{
				"https://www.googleapis.com/auth/cloud-platform",
			}),
		},
		AllowStoppingForUpdate: pulumi.Bool(true),
		Metadata: pulumi.StringMap{
			"gce-container-declaration": pulumi.String(containerSpec.Spec),
			"google-logging-enabled":    pulumi.String("false"),
			// "user-data":                 cloudInitMetadata.Rendered,
		},
		Tags: pulumi.ToStringArray([]string{}),
	}, pulumi.Parent(gitRes), pulumi.DeleteBeforeReplace(true), pulumi.ReplaceOnChanges([]string{"metadata"}))
	if err != nil {
		return nil, err
	}

	gitRes.MapOutput = pulumi.Map{
		"url": instance.NetworkInterfaces,
	}
	ctx.RegisterResourceOutputs(gitRes, gitRes.MapOutput)
	return gitRes, nil
}

Database

SQLite

Originally created by @hulto on GitHub (Oct 28, 2024). ### Description I'm trying to configure gitea with my vault server as an authentication source using Oauth2. I followed the prompts under: Identity & Access > Authentication Sources > Add Authentication Source ``` Authentication Type: OAuth2 Authentication Name: Vault2 OAuth2 Provider: OpenID Connect Client ID (Key): wWOeykAzVxxRDJpQEGRVnuYtef0Au6HZ Client Secret: [Redacted] Skip local 2FA: True ``` When I login to gitea with my custom Oauth2 source. Sign in > Sign in > Sign in with vault2 gitea redirects me to: http://<gitea URL>/<authorization_endpoint> Instead of the expected: https://<vault URL>/<authorization_endpoint> Resulting in a 404. ### Gitea Version 1.22.3 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots Auth source configuration ![image](https://github.com/user-attachments/assets/7d96e747-4840-4db6-a987-1becefd05507) openid-configuration JSON ![image](https://github.com/user-attachments/assets/ed4c038f-ab8f-476d-a054-d76b9cd3e3fb) Signing in with OpenID vault2 ![image](https://github.com/user-attachments/assets/3b8778f2-6758-4dd6-bd49-0b0f90253359) Unexpected 404 error ![image](https://github.com/user-attachments/assets/e9622fd0-7d9f-4f1b-ae79-efc81fc9b89c) ``` http://git.galaxygridlabs.com:3000/ui/vault/identity/oidc/provider/default/authorize?client_id=wWOeykAzVxxRDJpQEGRVnuYtef0Au6HZ&redirect_uri=http%3A%2F%2Fgit.galaxygridlabs.com%3A3000%2Fuser%2Foauth2%2Fvault2%2Fcallback&response_type=code&scope=openid&state=b0ad9b74-e2a9-4d4f-ae54-6e9e6baff1ec ``` ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Docker image `docker.io/gitea/gitea:1.22.3@sha256:76f516a1a8c27e8f8e9773639bf337c0176547a2d42a80843e3f2536787341c6` Using GCP COS. Setup with pulumi golang. ```go func NewGitea(ctx *pulumi.Context, gcpProject string, gcpRegion string, resourceId string) (*Gitea, error) { // Setup boiler plate gitRes := &Gitea{ Id: resourceId, } err := ctx.RegisterComponentResource(fmt.Sprintf("pkg:index:gcp:Gitea:%s", resourceId), "gitea", gitRes) if err != nil { return nil, err } // Create gitea storage disk dataDisk, err := compute.NewDisk(ctx, "giteadata", &compute.DiskArgs{ Size: pulumi.Int(giteaDataDiskSizeGB), }) if err != nil { return nil, err } specStr := ` spec: containers: - name: gitea image: docker.io/gitea/gitea:1.22.3@sha256:76f516a1a8c27e8f8e9773639bf337c0176547a2d42a80843e3f2536787341c6 env: - name: DISABLE_REGISTRATION value: 'true' - name: USER_UID value: '1000' - name: USER_GID value: '1000' volumeMounts: - name: pd-0 readOnly: false mountPath: /data stdin: false tty: false volumes: - name: pd-0 gcePersistentDisk: pdName: giteadata fsType: ext4 partition: 0 readOnly: false` containerSpec, err := common.NewSpec(ctx, "giteaspec", specStr, resourceId, nil) if err != nil { return nil, err } // Create new Container Optomized OS VM - running gitea instance, err := compute.NewInstance(ctx, "gitea", &compute.InstanceArgs{ MachineType: pulumi.String("f1-micro"), BootDisk: compute.InstanceBootDiskArgs{ InitializeParams: compute.InstanceBootDiskInitializeParamsArgs{ Image: pulumi.String("projects/cos-cloud/global/images/cos-stable-113-18244-151-9"), Size: pulumi.Int(10), }, }, AttachedDisks: compute.InstanceAttachedDiskArray{ compute.InstanceAttachedDiskArgs{ DeviceName: pulumi.String("giteadata"), Mode: pulumi.String("READ_WRITE"), Source: dataDisk.Name, }, }, NetworkInterfaces: compute.InstanceNetworkInterfaceArray{ compute.InstanceNetworkInterfaceArgs{ AccessConfigs: compute.InstanceNetworkInterfaceAccessConfigArray{ &compute.InstanceNetworkInterfaceAccessConfigArgs{ // PREMIUM Tier doesn't allocate an ephemeral IP. NatIp: pulumi.String(""), NetworkTier: pulumi.String("STANDARD"), }, }, Subnetwork: pulumi.String("default"), StackType: pulumi.String("IPV4_ONLY"), }, }, ServiceAccount: compute.InstanceServiceAccountArgs{ Scopes: pulumi.ToStringArray([]string{ "https://www.googleapis.com/auth/cloud-platform", }), }, AllowStoppingForUpdate: pulumi.Bool(true), Metadata: pulumi.StringMap{ "gce-container-declaration": pulumi.String(containerSpec.Spec), "google-logging-enabled": pulumi.String("false"), // "user-data": cloudInitMetadata.Rendered, }, Tags: pulumi.ToStringArray([]string{}), }, pulumi.Parent(gitRes), pulumi.DeleteBeforeReplace(true), pulumi.ReplaceOnChanges([]string{"metadata"})) if err != nil { return nil, err } gitRes.MapOutput = pulumi.Map{ "url": instance.NetworkInterfaces, } ctx.RegisterResourceOutputs(gitRes, gitRes.MapOutput) return gitRes, nil } ``` ### Database SQLite

GiteaMirror added the issue/needs-feedback type/upstream labels 2025-11-02 10:49:13 -06:00

GiteaMirror closed this issue

2025-11-02 10:49:14 -06:00

GiteaMirror commented

2025-11-02 10:49:14 -06:00

@lunny commented on GitHub (Oct 28, 2024):

Please confirm your ROOT_URL is the right one.

@lunny commented on GitHub (Oct 28, 2024): Please confirm your `ROOT_URL` is the right one.

GiteaMirror commented

2025-11-02 10:49:15 -06:00

@wxiaoguang commented on GitHub (Oct 28, 2024):

http://git.galaxygridlabs.com:3000/ui/vault/identity/oidc/provider/default/authorize?client_id=wWOeykAzVxxRDJpQEGRVnuYtef0Au6HZ&redirect_uri=http%3A%2F%2Fgit.galaxygridlabs.com%3A3000%2Fuser%2Foauth2%2Fvault2%2Fcallback&response_type=code&scope=openid&state=b0ad9b74-e2a9-4d4f-ae54-6e9e6baff1ec

It is "vault"'s problem. According to OIDC spec, the URLs in the "well-known openid configuration" should be a FULL URL.

https://openid.net/specs/openid-connect-discovery-1_0.html

But your vault only responds a relative path without scheme or host.

@wxiaoguang commented on GitHub (Oct 28, 2024): > `http://git.galaxygridlabs.com:3000/ui/vault/identity/oidc/provider/default/authorize?client_id=wWOeykAzVxxRDJpQEGRVnuYtef0Au6HZ&redirect_uri=http%3A%2F%2Fgit.galaxygridlabs.com%3A3000%2Fuser%2Foauth2%2Fvault2%2Fcallback&response_type=code&scope=openid&state=b0ad9b74-e2a9-4d4f-ae54-6e9e6baff1ec` It is "vault"'s problem. According to OIDC spec, the URLs in the "well-known openid configuration" should be a FULL URL. https://openid.net/specs/openid-connect-discovery-1_0.html But your vault only responds a relative path without scheme or host.

GiteaMirror commented

2025-11-02 10:49:15 -06:00

@hulto commented on GitHub (Oct 28, 2024):

Ahh thanks @wxiaoguang you're totally right.

@hulto commented on GitHub (Oct 28, 2024): Ahh thanks @wxiaoguang you're totally right.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#13644