Disabling openid provider on startup is confusing when provider is still working #7017

New Issue

Open

opened 2025-11-02 07:13:36 -06:00 by GiteaMirror · 5 comments

GiteaMirror commented 2025-11-02 07:13:36 -06:00

Owner

Copy Link

Originally created by @decentral1se on GitHub (Mar 18, 2021).

• Gitea version (or commit ref): 1.13.4
• Git version: 2.20.1
• Operating system: GNU/Linux Debian buster
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
• Log gist: N/A

Description

While upgrading to 1.13.4, my keycloak openid provider was temporarily down. I had this openid provider enabled and working before the upgrade. After upgrading, the openid login button was gone. Looking back at the changelog, it seems in 1.13.3, a change was implemented to disable openid providers that were not reachable and avoid failing startup. That is a good change imho but disabling them leads to the case where your openid login is gone away but it should not be. Is it possible to not fail and not disable them? A retry window in place before disabling? I am not sure what is best but having the provider disabled is not ideal.

Refs: https://github.com/go-gitea/gitea/pull/14802

Originally created by @decentral1se on GitHub (Mar 18, 2021). <!-- NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue --> <!-- 1. Please speak English, this is the language all maintainers can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/gitea) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Make sure it's not mentioned in the FAQ (https://docs.gitea.io/en-us/faq) 5. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): 1.13.4 - Git version: 2.20.1 - Operating system: GNU/Linux Debian buster <!-- Please include information on whether you built gitea yourself, used one of our downloads or are using some other package --> <!-- Please also tell us how you are running gitea, e.g. if it is being run from docker, a command-line, systemd etc. ---> <!-- If you are using a package or systemd tell us what distribution you are using --> - Database (use `[x]`): - [ ] PostgreSQL - [x] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [x] No - Log gist: N/A <!-- It really is important to provide pertinent logs --> <!-- Please read https://docs.gitea.io/en-us/logging-configuration/#debugging-problems --> <!-- In addition, if your problem relates to git commands set `RUN_MODE=dev` at the top of app.ini --> ## Description <!-- If using a proxy or a CDN (e.g. CloudFlare) in front of gitea, please disable the proxy/CDN fully and connect to gitea directly to confirm the issue still persists without those services. --> While upgrading to 1.13.4, my keycloak openid provider was temporarily down. I had this openid provider enabled and working before the upgrade. After upgrading, the openid login button was gone. Looking back at the changelog, it seems in 1.13.3, a change was implemented to disable openid providers that were not reachable and avoid failing startup. That is a good change imho but disabling them leads to the case where your openid login is gone away but it should not be. Is it possible to not fail and not disable them? A retry window in place before disabling? I am not sure what is best but having the provider disabled is not ideal. Refs: https://github.com/go-gitea/gitea/pull/14802

GiteaMirror added the type/proposaltopic/authentication labels 2025-11-02 07:13:36 -06:00

GiteaMirror commented 2025-11-02 07:13:37 -06:00

Author

Owner

Copy Link

@ghmer commented on GitHub (Mar 25, 2021):

Supporting that, at least make it configurable whether it should automatically be disabled. Or, even better: Retry, until the authentication source is up again. Right now, it is just confusing users.

@ghmer commented on GitHub (Mar 25, 2021): Supporting that, at least make it configurable whether it should automatically be disabled. Or, even better: Retry, until the authentication source is up again. Right now, it is just confusing users.

GiteaMirror commented 2025-11-02 07:13:37 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Mar 25, 2021):

If we don't disable it the system fatals.

What you're basically asking for is a temporarily disabled status?

@zeripath commented on GitHub (Mar 25, 2021): If we don't disable it the system fatals. What you're basically asking for is a temporarily disabled status?

GiteaMirror commented 2025-11-02 07:13:37 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Mar 25, 2021):

I mean you can always go into system admin and reenable it.

@zeripath commented on GitHub (Mar 25, 2021): I mean you can always go into system admin and reenable it.

GiteaMirror commented 2025-11-02 07:13:37 -06:00

Author

Owner

Copy Link

@ghmer commented on GitHub (Mar 25, 2021):

This is not a binary issue, there are ways between "I must disable the authentication source" and "I must use log.Fatal". In example, why not put the authentication source in a retry list and have a thread periodically check whether it is available again?
Sure I can always admin into the system, but I'd rather see one user having a login issue but the system will "heal itself" (because I know the authentication source will be up in probably another minute) than getting several tickets overnight until I wake up the next morning and enable that thing again.

@ghmer commented on GitHub (Mar 25, 2021): This is not a binary issue, there are ways between "I must disable the authentication source" and "I must use log.Fatal". In example, why not put the authentication source in a retry list and have a thread periodically check whether it is available again? Sure I can always admin into the system, but I'd rather see one user having a login issue but the system will "heal itself" (because I know the authentication source will be up in probably another minute) than getting several tickets overnight until I wake up the next morning and enable that thing again.

GiteaMirror commented 2025-11-02 07:13:38 -06:00

Author

Owner

Copy Link

@ctII commented on GitHub (Mar 30, 2021):

Self-healing providers could have a blip in their uptime at the same time as Gitea starts due to timing differences in startup, especially when deployed on the same Kubernetes cluster, but that shouldn't prevent providers from being used later if they are available

Could a new task in modules/cron that attempts to initialize disabled providers in models/oauth2 from the database on a periodic basis solve this?

@ctII commented on GitHub (Mar 30, 2021): Self-healing providers could have a blip in their uptime at the same time as Gitea starts due to timing differences in startup, especially when deployed on the same Kubernetes cluster, but that shouldn't prevent providers from being used later if they are available Could a new task in ```modules/cron``` that attempts to initialize disabled providers in ```models/oauth2``` from the database on a periodic basis solve this?

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label topic/authentication type/proposal

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#7017