Account linking after adding OpenID Connect does not work #14017

New Issue

Closed

opened 2025-11-02 11:00:19 -06:00 by GiteaMirror · 6 comments

GiteaMirror commented 2025-11-02 11:00:19 -06:00

Owner

Copy Link

Originally created by @ln-12 on GitHub (Jan 19, 2025).

Description

I am trying to add authelia as an OpenID provider by following the instructions here. It seems like everything is working fine except the account linking part. I already have an administrator account setup locally and want to access the same account via authelia. The name and email are identical in Gitea and authelia.

On the login page, I click on "Sign in with authelia":

I am then redirected to my authelia instance where I can log into my account. After granting access, I am redirected to Gitea where I am greeted with the following screen (I cannot use the option "Register New Account" as I already have an account setup with the same name and email):

I would expect a login form to show here instead of the blank area under the heading. Using the passkey option, I can login but it seems like the account is still not connected. When logging out and in again (with authelia) I am again redirected to this linking screen although I would expect the process to only be needed once.

Here is my config (note that I of cource replaced my-domain.com and the client secret with the correct values in my actual config):

app.ini

[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = true
WHITELISTED_URIS     = auth.my-domain.com

[oauth2_client]
REGISTER_EMAIL_CONFIRM = true
OPENID_CONNECT_SCOPES = openid email profile
USERNAME = email
ACCOUNT_LINKING = auto
ENABLE_AUTO_REGISTRATION = false

From the log, I can see the following related entries:

gitea     | 2025/01/19 16:36:40 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/authelia for A.X.Y.Z:0, 307 Temporary Redirect in 5.5ms @ auth/oauth.go:36(auth.SignInOAuth)
gitea     | 2025/01/19 16:36:41 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/authelia/callback?code=SOME_CODE&iss=https%3A%2F%2Fauth.my-domain.com&scope=openid+email+profile&state=SOME_STATE for A.X.Y.Z:0, 303 See Other in 362.1ms @ auth/oauth.go:75(auth.SignInOAuthCallback)
gitea     | 2025/01/19 16:36:42 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/link_account for A.X.Y.Z:0, 200 OK in 3.0ms @ auth/linkaccount.go:31(auth.LinkAccount)

gitea     | 2025/01/19 16:45:42 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/link_account for A.X.Y.Z:0, 303 See Other in 3.1ms @ web/web.go:138(web.registerRoutes.verifyAuthWithOptions)
gitea     | 2025/01/19 16:45:42 ...eb/routing/logger.go:102:func1() [I] router: completed GET / for A.X.Y.Z:0, 200 OK in 33.4ms @ web/home.go:32(web.Home)

Gitea Version

1.23.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

compose.yml:

services:
  gitea:
    image: docker.io/gitea/gitea:1.23.1
    container_name: gitea
    environment:
      - APP_NAME="Gitea"
      - USER_UID=1000
      - USER_GID=1000
      - USER=git
      - RUN_MODE=prod
      - DOMAIN=gitea.my-domain.com
      - SSH_DOMAIN=gitea.my-domain.com
      - HTTP_PORT=3000
      - ROOT_URL=https://gitea.my-domain.com
      - SSH_PORT=2222
      - SSH_LISTEN_PORT=22
      - DB_TYPE=sqlite3
    restart: unless-stopped
    volumes:
      - ./data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - 2222:22
    labels:
      - traefik.enable=true
      - traefik.http.routers.gitea.entrypoints=https
      - traefik.http.routers.gitea.rule=Host(`gitea.my-domain.com`)
      - traefik.http.services.gitea.loadbalancer.server.port=3000

  runner:
    image: gitea/act_runner:0.2.11
    restart: unless-stopped
    depends_on:
      - gitea
    volumes:
      - ./data/act_runner:/data
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - GITEA_INSTANCE_URL=https://gitea.my-domain.com
      - GITEA_RUNNER_REGISTRATION_TOKEN=XYZ
      - GITHUB_COM_TOKEN=XYZ

Database

SQLite

Originally created by @ln-12 on GitHub (Jan 19, 2025). ### Description I am trying to add authelia as an OpenID provider by following the instructions [here](https://www.authelia.com/integration/openid-connect/gitea/). It seems like everything is working fine except the account linking part. I already have an administrator account setup locally and want to access the same account via authelia. The name and email are identical in Gitea and authelia. On the login page, I click on "Sign in with authelia": <img width="370" alt="Image" src="https://github.com/user-attachments/assets/2be3f823-31f9-47fc-9f3d-22b6cc404c7c" /> I am then redirected to my authelia instance where I can log into my account. After granting access, I am redirected to Gitea where I am greeted with the following screen (I cannot use the option "Register New Account" as I already have an account setup with the same name and email): <img width="739" alt="Image" src="https://github.com/user-attachments/assets/11770fa3-4c1a-43ab-bcd1-5aba0331f017" /> I would expect a login form to show here instead of the blank area under the heading. Using the passkey option, I can login but it seems like the account is still not connected. When logging out and in again (with authelia) I am again redirected to this linking screen although I would expect the process to only be needed once. Here is my config (note that I of cource replaced `my-domain.com` and the client secret with the correct values in my actual config): `app.ini` ```bash [openid] ENABLE_OPENID_SIGNIN = false ENABLE_OPENID_SIGNUP = true WHITELISTED_URIS = auth.my-domain.com [oauth2_client] REGISTER_EMAIL_CONFIRM = true OPENID_CONNECT_SCOPES = openid email profile USERNAME = email ACCOUNT_LINKING = auto ENABLE_AUTO_REGISTRATION = false ``` <img width="446" alt="Image" src="https://github.com/user-attachments/assets/9a5415e7-6677-44fa-a8f0-f9877f1154a5" /> From the log, I can see the following related entries: ```bash gitea | 2025/01/19 16:36:40 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/authelia for A.X.Y.Z:0, 307 Temporary Redirect in 5.5ms @ auth/oauth.go:36(auth.SignInOAuth) gitea | 2025/01/19 16:36:41 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/authelia/callback?code=SOME_CODE&iss=https%3A%2F%2Fauth.my-domain.com&scope=openid+email+profile&state=SOME_STATE for A.X.Y.Z:0, 303 See Other in 362.1ms @ auth/oauth.go:75(auth.SignInOAuthCallback) gitea | 2025/01/19 16:36:42 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/link_account for A.X.Y.Z:0, 200 OK in 3.0ms @ auth/linkaccount.go:31(auth.LinkAccount) ``` ```bash gitea | 2025/01/19 16:45:42 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/link_account for A.X.Y.Z:0, 303 See Other in 3.1ms @ web/web.go:138(web.registerRoutes.verifyAuthWithOptions) gitea | 2025/01/19 16:45:42 ...eb/routing/logger.go:102:func1() [I] router: completed GET / for A.X.Y.Z:0, 200 OK in 33.4ms @ web/home.go:32(web.Home) ``` ### Gitea Version 1.23.1 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? `compose.yml:` ```yaml services: gitea: image: docker.io/gitea/gitea:1.23.1 container_name: gitea environment: - APP_NAME="Gitea" - USER_UID=1000 - USER_GID=1000 - USER=git - RUN_MODE=prod - DOMAIN=gitea.my-domain.com - SSH_DOMAIN=gitea.my-domain.com - HTTP_PORT=3000 - ROOT_URL=https://gitea.my-domain.com - SSH_PORT=2222 - SSH_LISTEN_PORT=22 - DB_TYPE=sqlite3 restart: unless-stopped volumes: - ./data:/data - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro ports: - 2222:22 labels: - traefik.enable=true - traefik.http.routers.gitea.entrypoints=https - traefik.http.routers.gitea.rule=Host(`gitea.my-domain.com`) - traefik.http.services.gitea.loadbalancer.server.port=3000 runner: image: gitea/act_runner:0.2.11 restart: unless-stopped depends_on: - gitea volumes: - ./data/act_runner:/data - /var/run/docker.sock:/var/run/docker.sock environment: - GITEA_INSTANCE_URL=https://gitea.my-domain.com - GITEA_RUNNER_REGISTRATION_TOKEN=XYZ - GITHUB_COM_TOKEN=XYZ ``` ### Database SQLite

GiteaMirror added the issue/needs-feedbacktype/bug labels 2025-11-02 11:00:19 -06:00

GiteaMirror closed this issue 2025-11-02 11:00:20 -06:00

GiteaMirror commented 2025-11-02 11:00:20 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Jan 19, 2025):

It has been fixed in 1.23-nightly (which will be 1.23.2 soon): Fix Account linking page (#33325) #33327

• https://dl.gitea.com/gitea/1.23-nightly/
• https://hub.docker.com/r/gitea/gitea/tags?name=1.23-nightly

@wxiaoguang commented on GitHub (Jan 19, 2025): It has been fixed in 1.23-nightly (which will be 1.23.2 soon): Fix Account linking page (#33325) #33327 * https://dl.gitea.com/gitea/1.23-nightly/ * https://hub.docker.com/r/gitea/gitea/tags?name=1.23-nightly

GiteaMirror commented 2025-11-02 11:00:21 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Jan 21, 2025):

Have you tried 1.23-nightly? It is a stable branch and contains many bug fixes.

If it has been fixed, I think this issue could be closed?

@wxiaoguang commented on GitHub (Jan 21, 2025): Have you tried 1.23-nightly? It is a stable branch and contains many bug fixes. If it has been fixed, I think this issue could be closed?

GiteaMirror commented 2025-11-02 11:00:21 -06:00

Author

Owner

Copy Link

@ln-12 commented on GitHub (Jan 21, 2025):

Sorry, I didn't have the time yet. I'll let you know as soon as possible!

@ln-12 commented on GitHub (Jan 21, 2025): Sorry, I didn't have the time yet. I'll let you know as soon as possible!

GiteaMirror commented 2025-11-02 11:00:21 -06:00

Author

Owner

Copy Link

@JimKlapwijk commented on GitHub (Jan 21, 2025):

Hi @wxiaoguang, I ran into the same issue with Authentik, and tried the 1.23-nightly, and it is fixed.

Can you confirm it is correct that it says I need to link my account? Does this happen under an authorized session by ?

@JimKlapwijk commented on GitHub (Jan 21, 2025): Hi @wxiaoguang, I ran into the same issue with Authentik, and tried the 1.23-nightly, and it is fixed. Can you confirm it is correct that it says I need to link my account? Does this happen under an authorized session by <your OpenID provider>?

GiteaMirror commented 2025-11-02 11:00:21 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Jan 21, 2025):

Can you confirm it is correct that it says I need to link my account? Does this happen under an authorized session by ?

Yes, I think it is right. Actually it is the correct behavior in 1.22 and old releases, 1.23.0 has a regression that the login form can't display correctly and it has been fixed in 1.23-nightly (and will be 1.23.2 soon)

@wxiaoguang commented on GitHub (Jan 21, 2025): > Can you confirm it is correct that it says I need to link my account? Does this happen under an authorized session by ? Yes, I think it is right. Actually it is the correct behavior in 1.22 and old releases, 1.23.0 has a regression that the login form can't display correctly and it has been fixed in 1.23-nightly (and will be 1.23.2 soon)

GiteaMirror commented 2025-11-02 11:00:21 -06:00

Author

Owner

Copy Link

@ln-12 commented on GitHub (Jan 22, 2025):

I can confirm that both the login form and the account linking work fine in version 1.23-nightly. Thank you for the fast help!

@ln-12 commented on GitHub (Jan 22, 2025): I can confirm that both the login form and the account linking work fine in version 1.23-nightly. Thank you for the fast help!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label issue/needs-feedback type/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#14017