Gitea does not implement proper OIDC #7767

New Issue

GiteaMirror · 2025-11-02T07:36:00-06:00

GiteaMirror commented

2025-11-02 07:36:00 -06:00

Originally created by @Reinitialized on GitHub (Aug 27, 2021).

Gitea version (or commit ref): 1.15.0

Description

Based on what I've recently learned about OIDC, I do not believe Gitea implements this protocol correctly, specifically when it comes to linking an non-existent Gitea user. Gitea allows the end user to change a variety of identity related options, violating the intent of SSO, such as:

Upon registration of a Gitea account, allowing the end user to change their username and email
Within Account Settings, allowing the user to change their email and password
Allowing end users to log in locally instead of through the OIDC provider

Gitea is an amazing product which I enjoy using, but as I grow my infrastructure and eventually business/community, the ability to manage these settings in a centralized system without having to implement workarounds such as LDAP is a crucial component to using this product. I hope this can be addressed within a timely manner.

Screenshots

Example of being able to change password/email on "non-local" account

Originally created by @Reinitialized on GitHub (Aug 27, 2021). - Gitea version (or commit ref): 1.15.0 ## Description Based on what I've recently learned about OIDC, I do not believe Gitea implements this protocol correctly, specifically when it comes to linking an non-existent Gitea user. Gitea allows the end user to change a variety of identity related options, violating the intent of SSO, such as: - Upon registration of a Gitea account, allowing the end user to change their username and email - Within Account Settings, allowing the user to change their email and password - Allowing end users to log in locally instead of through the OIDC provider Gitea is an amazing product which I enjoy using, but as I grow my infrastructure and eventually business/community, the ability to manage these settings in a centralized system without having to implement workarounds such as LDAP is a crucial component to using this product. I hope this can be addressed within a timely manner. ## Screenshots  Example of being able to change password/email on "non-local" account ![image](https://user-images.githubusercontent.com/20674500/131195190-47902c35-cab1-4b3b-a2ce-afbc0b1f5ff1.png) ![image](https://user-images.githubusercontent.com/20674500/131195232-2cc593ba-808a-432f-96bc-2d66eb99da73.png)

GiteaMirror closed this issue

2025-11-02 07:36:00 -06:00

GiteaMirror commented

2025-11-02 07:36:00 -06:00

@sanderfoobar commented on GitHub (Aug 28, 2021):

Upon registration of a Gitea account, allowing the end user to change their username and email

Set this to true and it will auto register after redirecting from OIDC provider

[oauth2_client]
ENABLE_AUTO_REGISTRATION = true

Allowing end users to log in locally instead of through the OIDC provider

Set this to false if you only want to allow users from the OIDC provider

[service]
DISABLE_REGISTRATION              = false

Within Account Settings, allowing the user to change their email and password

Yep, this is weird.

Note that there is a login_name column in the Gitea database, user table. This is the sub claim from your OIDC provider, so at least you still that unique user id that you may use to fix any email synchronization issues manually if need be.

@sanderfoobar commented on GitHub (Aug 28, 2021): > Upon registration of a Gitea account, allowing the end user to change their username and email Set this to `true` and it will auto register after redirecting from OIDC provider ```text [oauth2_client] ENABLE_AUTO_REGISTRATION = true ``` > Allowing end users to log in locally instead of through the OIDC provider Set this to `false` if you **only** want to allow users from the OIDC provider ```text [service] DISABLE_REGISTRATION = false ``` > Within Account Settings, allowing the user to change their email and password Yep, this is weird. Note that there is a `login_name` column in the Gitea database, `user` table. This is the `sub` claim from your OIDC provider, so at least you still that unique user id that you may use to fix any email synchronization issues manually if need be.

GiteaMirror commented

2025-11-02 07:36:01 -06:00

@zeripath commented on GitHub (Aug 28, 2021):

Disabling the changing of username has another issue request.

@zeripath commented on GitHub (Aug 28, 2021): Disabling the changing of username has another issue request.

GiteaMirror commented

2025-11-02 07:36:01 -06:00

@Reinitialized commented on GitHub (Aug 29, 2021):

Set this to true and it will auto register after redirecting from OIDC provider

Don't know how I missed this, but it solves one of the problems. Thanks!

Disabling the changing of username has another issue request.

Looking into account settings, I don't see an option to change username, and with the above change Usernames are no longer an issue it seems. Email and passwords are still a problem, however. I know for LDAP passwords cannot be changed, but emails still can.

@Reinitialized commented on GitHub (Aug 29, 2021): > Set this to `true` and it will auto register after redirecting from OIDC provider Don't know how I missed this, but it solves one of the problems. Thanks! > Disabling the changing of username has another issue request. Looking into account settings, I don't see an option to change username, and with the above change Usernames are no longer an issue it seems. Email and passwords are still a problem, however. I know for LDAP passwords cannot be changed, but emails still can.

GiteaMirror commented

2025-11-02 07:36:01 -06:00

@fuomag9 commented on GitHub (Mar 3, 2023):

Set this to true and it will auto register after redirecting from OIDC provider

Don't know how I missed this, but it solves one of the problems. Thanks!

Disabling the changing of username has another issue request.

Looking into account settings, I don't see an option to change username, and with the above change Usernames are no longer an issue it seems. Email and passwords are still a problem, however. I know for LDAP passwords cannot be changed, but emails still can.

the ENABLE_AUTO_REGISTRATION variable was missing from the default config as of today! I'd not have found it if it weren't for this issue

@fuomag9 commented on GitHub (Mar 3, 2023): > > Set this to `true` and it will auto register after redirecting from OIDC provider > > Don't know how I missed this, but it solves one of the problems. Thanks! > > > Disabling the changing of username has another issue request. > > Looking into account settings, I don't see an option to change username, and with the above change Usernames are no longer an issue it seems. Email and passwords are still a problem, however. I know for LDAP passwords cannot be changed, but emails still can. the `ENABLE_AUTO_REGISTRATION` variable was missing from the default config as of today! I'd not have found it if it weren't for this issue

GiteaMirror commented

2025-11-02 07:36:01 -06:00

@lunny commented on GitHub (Mar 3, 2023):

It's in the documentation and the example ini file. The default config is a minimum configuration file.

@lunny commented on GitHub (Mar 3, 2023): > It's in the documentation and the example ini file. The default config is a minimum configuration file.

GiteaMirror commented

2025-11-02 07:36:02 -06:00

@kdumontnu commented on GitHub (Jul 9, 2024):

I believe these issues are now all closed with https://github.com/go-gitea/gitea/pull/31535 and also superseded by this tracking issue https://github.com/go-gitea/gitea/issues/23794

OIDC was not necessarily implemented incorrectly, but it was configured as an "external auth provider" (eg. an alternative login) instead of Single Sign-On (SSO) / Single Identity Provider. These options should now be supported in config settings.

@kdumontnu commented on GitHub (Jul 9, 2024): I believe these issues are now all closed with https://github.com/go-gitea/gitea/pull/31535 and also superseded by this tracking issue https://github.com/go-gitea/gitea/issues/23794 OIDC was not necessarily implemented incorrectly, but it was configured as an "external auth provider" (eg. an alternative login) instead of Single Sign-On (SSO) / Single Identity Provider. These options should now be supported in config settings.

GiteaMirror commented

2025-11-02 07:36:02 -06:00

@Reinitialized commented on GitHub (Jul 9, 2024):

Sweet! Love seeing how far Gitea has come since I've opened the few issues I have. Thanks for everything you guys do!

@Reinitialized commented on GitHub (Jul 9, 2024): Sweet! Love seeing how far Gitea has come since I've opened the few issues I have. Thanks for everything you guys do!

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#7767