mirror of
https://github.com/go-gitea/gitea.git
synced 2026-03-13 02:57:44 -05:00
Add support for federated OpenID-Connect logins #527
Open
opened 2025-11-02 03:26:47 -06:00 by GiteaMirror
·
17 comments
No Branch/Tag Specified
main
release/v1.25
release/v1.24
release/v1.23
release/v1.22
release/v1.21
release/v1.20
release/v1.19
release/v1.18
release/v1.17
release/v1.16
release/v1.15
release/v1.14
release/v1.13
release/v1.12
release/v1.11
release/v1.10
release/v1.9
release/v1.8
v1.25.3
v1.25.2
v1.25.1
v1.25.0
v1.24.7
v1.25.0-rc0
v1.26.0-dev
v1.24.6
v1.24.5
v1.24.4
v1.24.3
v1.24.2
v1.24.1
v1.24.0
v1.23.8
v1.24.0-rc0
v1.25.0-dev
v1.23.7
v1.23.6
v1.23.5
v1.23.4
v1.23.3
v1.23.2
v1.23.1
v1.23.0
v1.23.0-rc0
v1.24.0-dev
v1.22.6
v1.22.5
v1.22.4
v1.22.3
v1.22.2
v1.22.1
v1.22.0
v1.23.0-dev
v1.22.0-rc1
v1.21.11
v1.22.0-rc0
v1.21.10
v1.21.9
v1.21.8
v1.21.7
v1.21.6
v1.21.5
v1.21.4
v1.21.3
v1.21.2
v1.20.6
v1.21.1
v1.21.0
v1.21.0-rc2
v1.21.0-rc1
v1.20.5
v1.22.0-dev
v1.21.0-rc0
v1.20.4
v1.20.3
v1.20.2
v1.20.1
v1.20.0
v1.19.4
v1.21.0-dev
v1.20.0-rc2
v1.20.0-rc1
v1.20.0-rc0
v1.19.3
v1.19.2
v1.19.1
v1.19.0
v1.19.0-rc1
v1.20.0-dev
v1.19.0-rc0
v1.18.5
v1.18.4
v1.18.3
v1.18.2
v1.18.1
v1.18.0
v1.17.4
v1.18.0-rc1
v1.19.0-dev
v1.18.0-rc0
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/gitea#527
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @strk on GitHub (Mar 17, 2017).
OpenID-Connect is already supported via the OAuth2 LoginSource, this ticket is to add support for the federated features of the spec: http://openid.net/specs/openid-connect-federation-1_0.html
NOTE: federated OpenID-2.0 is already supported (#618)
See #1010 for some previous discussion about OpenID-Connect and federation.
@strk commented on GitHub (Mar 17, 2017):
Corresponding ticket in the library currently used for OIDC: https://github.com/markbates/goth/issues/148
@colemickens commented on GitHub (Jun 22, 2018):
Goth supports OpenID Connect now.
@strk commented on GitHub (Jun 26, 2018):
Since which version @colemickens ? What would it take to make use of it from Gitea ? Just update to current master of Goth ? Do you have an OpenID-Connect provider to test an eventual implementation against ?
@colemickens commented on GitHub (Jun 26, 2018):
It looks like Goth supported it since before you opened this issue, actually, from what I can tell: https://github.com/markbates/goth/pull/127
Anyway, it also seems like Gitea already has OIDC login... https://github.com/go-gitea/gitea/issues/3644
Also, there's this issue, also from you, where you were using it? https://github.com/go-gitea/gitea/issues/2100
I would be testing against Dex. I haven't stood up Gitea yet, might be a while before I make it back around to.
@meredrica commented on GitHub (Oct 6, 2018):
Any news on this? Gitea looks really nice but not having SSO is a deal breaker for me :(
@coolaj86 commented on GitHub (Oct 6, 2018):
This is something that I am working on personally and I'm trying to work slowly and with distinct commits so that it can come into mainline.
Check out https://github.com/go-gitea/gitea/pull/5029 if you're interested (just ux and bug fixes around the existing implementation so far). I also have instructions (in the issue) for giving my branch a test try if you'd like.
cc/ @meredrica
@stale[bot] commented on GitHub (Jan 7, 2019):
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.
@stale[bot] commented on GitHub (Mar 8, 2019):
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.
@deedubs commented on GitHub (Mar 26, 2019):
Let me know if you need any help! Even if just testing I have a keycloak OIDC setup I can use to verify it.
@strk commented on GitHub (May 28, 2019):
For testing, see https://github.com/simpleid/simpleid/issues/30#issuecomment-496359846
@colemickens commented on GitHub (May 28, 2019):
I don't understand. The Discovery protocol is provided by the server and consumed by the client. AFAICT that does not implement OpenID Connect (edit, it looks like it implements OIDC, but I don't really like OIDC without Discovery).
Alternatively, https://github.com/dexidp/dex is an OpenID Connect identity provider (broker) that is easy to self-host, and it allows self-registration of clients, supports Discovery, it also can trivial chain into other authentication providers that don't allow self-registration. It's commonly used in "cloud-native" deployments, in conjunction with Go services and often containerized solutions. It would very likely be a good fit to use with Gitea. (edit, and is itself written in Go).
@strk commented on GitHub (May 29, 2019):
What is that you don't understand @colemickens ? The issue here is being able to allow people to just provide an arbitrary URI as an authentication mean...
Have you tried doing that with #5029 ?
@6543 commented on GitHub (Jun 27, 2021):
should be posible now
@strk commented on GitHub (Jun 28, 2021):
Possible how ? Is there an example of such self-identity provision ?
BTW, I see OpenID-2.0 login was disabled on https://try.gitea.io/user/login -- was that intentional ? At the moment I've no way to even try that
@strk commented on GitHub (Jun 28, 2021):
For reference: https://gitea.com/user/login still has OpenID support active, which shows Gitea-1.15 still supports that (good!)
I still don't see any online proof of "federated OpenID-Connect logins" (ie: I enter my own url, as a user, to prove my identity)
@6543 commented on GitHub (Jun 28, 2021):
ok so the federated part is missing?
@strk commented on GitHub (Jun 28, 2021):
Yes.
The goal is to be able to log into a Gitea instance by passing an arbitrary URL (either accepted or not based on some whitelist/blacklist eventually). Gitea would then delegate authenticating the user to a service discovered from the given URL.