github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-09 12:46:42 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Adding group claim name for admin and required does not show in gui #8399

New Issue
Closed
opened 2025-11-02 08:04:51 -06:00 by GiteaMirror · 4 comments
GiteaMirror commented 2025-11-02 08:04:51 -06:00
Owner
Copy Link

Originally created by @netcicd on GitHub (Jan 24, 2022).

Gitea Version

1.16.0-rc1

Git Version

No response

Operating System

docker: gitea/gitea:1.16.0-rc1

How are you running Gitea?

docker container as part of https://github.com/Devoteam/CICD-toolbox

Database

PostgreSQL

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Description

when running
gitea admin auth update-oauth --id 1 --required-claim-name gitea-admin --admin-group gitea-admin
in the container, this does not show in the gui. Adding these fields in the gui gives 200 in the log, but no entry in the gui

Screenshots

Screenshot from 2022-01-24 16-04-53
secret in picture is randomly generated

Originally created by @netcicd on GitHub (Jan 24, 2022). ### Gitea Version 1.16.0-rc1 ### Git Version _No response_ ### Operating System docker: gitea/gitea:1.16.0-rc1 ### How are you running Gitea? docker container as part of https://github.com/Devoteam/CICD-toolbox ### Database PostgreSQL ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Description when running gitea admin auth update-oauth --id 1 --required-claim-name gitea-admin --admin-group gitea-admin in the container, this does not show in the gui. Adding these fields in the gui gives 200 in the log, but no entry in the gui ### Screenshots ![Screenshot from 2022-01-24 16-04-53](https://user-images.githubusercontent.com/46484069/150808324-4d5520a3-c11a-47fe-a14a-2d248fe945b8.png) secret in picture is randomly generated
GiteaMirror commented 2025-11-02 08:04:52 -06:00
Author
Owner
Copy Link

@netcicd commented on GitHub (Jan 24, 2022):

When set in the GUI, Additional scopes and Group claim name for administrators show up in the database. Required shows up when entered on CLI, not in GUI
When updating entry in GUI, I get a http 500 error, even when nothing changed.

Before update:

{"Provider":"openidConnect","ClientID":"Gitea","ClientSecret":"1057f9ac-3acd-456a-8c06-61180ad9d8a0","OpenIDConnectAutoDiscoveryURL":"http://keycloak.tooling.test:8080/auth/realms/netcicd/.well-known/openid-configuration","CustomURLMapping":{},"IconURL":"","Scopes":[],"RequiredClaimName":"gitea-admin","RequiredClaimValue":"","GroupClaimName":"gitea-group","AdminGroup":"gitea-admin","RestrictedGroup":""}

After update:

{"Provider":"openidConnect","ClientID":"Gitea","ClientSecret":"1057f9ac-3acd-456a-8c06-61180ad9d8a0","OpenIDConnectAutoDiscoveryURL":"http://keycloak.tooling.test:8080/auth/realms/netcicd/.well-known/openid-configuration","CustomURLMapping":{},"IconURL":"","Scopes":[""],"RequiredClaimName":"","RequiredClaimValue":"gitea-admin","GroupClaimName":"","AdminGroup":"","RestrictedGroup":""}

restoring the data makes no difference...

When updated through CLI with gitea admin auth update-oauth --id 1 --required-claim-name gitea-admin --admin-group gitea-admin, it works when I provide the gitea-admin claim but the user is not admin.

When the group-claim-name is updated through the CLI
gitea admin auth update-oauth --id 1 --group-claim-name gitea-group

and a corresponding claim is made in Keycloak:
Screenshot from 2022-01-24 22-45-04

This is the associated jwt
{
"exp": 1643059571,
"iat": 1643059271,
"auth_time": 1643059248,
"jti": "4ccd708c-efeb-43ed-bfcb-55cf04f3f1c7",
"iss": "http://keycloak.tooling.test:8080/auth/realms/netcicd",
"sub": "060bbc59-b1a2-4bf9-b1cc-ca2bd2541830",
"typ": "Bearer",
"azp": "Gitea",
"session_state": "6943341b-488b-4880-8e7e-148d21035364",
"acr": "0",
"allowed-origins": [
"http://gitea.tooling.test:3000/"
],
"resource_access": {
"Gitea": {
"roles": [
"gitea-admin"
]
}
},
"scope": "openid profile email",
"sid": "6943341b-488b-4880-8e7e-148d21035364",
"email_verified": false,
"gitea-group": [
"gitea-admin"
],
"name": "NetCICD Godmode Godmode",
"gitea-admin": [
"gitea-admin"
],
"preferred_username": "netcicd",
"given_name": "NetCICD Godmode",
"family_name": "Godmode",
"email": "netcicd@tooling.test"
}

And for an ordinary user:
{
"exp": 1643059860,
"iat": 1643059560,
"auth_time": 1643059560,
"jti": "9797e414-4a90-4068-b508-dd660f6d8413",
"iss": "http://keycloak.tooling.test:8080/auth/realms/netcicd",
"sub": "599b0c23-56f1-427d-a4d1-fe6a601d72cc",
"typ": "Bearer",
"azp": "Gitea",
"session_state": "cd5cd945-422d-46b3-bd3c-1fa8311ae52a",
"acr": "1",
"allowed-origins": [
"http://gitea.tooling.test:3000/"
],
"resource_access": {
"Gitea": {
"roles": [
"gitea-netcicd-read"
]
}
},
"scope": "openid profile email",
"sid": "cd5cd945-422d-46b3-bd3c-1fa8311ae52a",
"email_verified": false,
"gitea-group": [
"gitea-netcicd-read"
],
"name": "Net Dude Dude",
"gitea-admin": [
"gitea-netcicd-read"
],
"preferred_username": "netdude",
"given_name": "Net Dude",
"family_name": "Dude",
"email": "netdude@tooling.test"
}

and as shown, the ordinary user is in the group gitea-netcicd-read, this group has read access:
Screenshot from 2022-01-24 22-32-11

but cannot see the repo:
Screenshot from 2022-01-24 22-35-17

It would be much more convenient if the implementation would just read the default resource_access claim for the Client_ID where the roles are the group names...

@netcicd commented on GitHub (Jan 24, 2022): When set in the GUI, Additional scopes and Group claim name for administrators show up in the database. Required shows up when entered on CLI, not in GUI When updating entry in GUI, I get a http 500 error, even when nothing changed. Before update: {"Provider":"openidConnect","ClientID":"Gitea","ClientSecret":"1057f9ac-3acd-456a-8c06-61180ad9d8a0","OpenIDConnectAutoDiscoveryURL":"http://keycloak.tooling.test:8080/auth/realms/netcicd/.well-known/openid-configuration","CustomURLMapping":{},"IconURL":"","Scopes":[],"RequiredClaimName":"gitea-admin","RequiredClaimValue":"","GroupClaimName":"gitea-group","AdminGroup":"gitea-admin","RestrictedGroup":""} After update: {"Provider":"openidConnect","ClientID":"Gitea","ClientSecret":"1057f9ac-3acd-456a-8c06-61180ad9d8a0","OpenIDConnectAutoDiscoveryURL":"http://keycloak.tooling.test:8080/auth/realms/netcicd/.well-known/openid-configuration","CustomURLMapping":{},"IconURL":"","Scopes":[""],"RequiredClaimName":"","RequiredClaimValue":"gitea-admin","GroupClaimName":"","AdminGroup":"","RestrictedGroup":""} restoring the data makes no difference... When updated through CLI with gitea admin auth update-oauth --id 1 --required-claim-name gitea-admin --admin-group gitea-admin, it works when I provide the gitea-admin claim but the user is not admin. When the group-claim-name is updated through the CLI gitea admin auth update-oauth --id 1 --group-claim-name gitea-group and a corresponding claim is made in Keycloak: ![Screenshot from 2022-01-24 22-45-04](https://user-images.githubusercontent.com/46484069/150870146-f9240c48-a559-492e-be36-89aee654f7aa.png) This is the associated jwt { "exp": 1643059571, "iat": 1643059271, "auth_time": 1643059248, "jti": "4ccd708c-efeb-43ed-bfcb-55cf04f3f1c7", "iss": "http://keycloak.tooling.test:8080/auth/realms/netcicd", "sub": "060bbc59-b1a2-4bf9-b1cc-ca2bd2541830", "typ": "Bearer", "azp": "Gitea", "session_state": "6943341b-488b-4880-8e7e-148d21035364", "acr": "0", "allowed-origins": [ "http://gitea.tooling.test:3000/" ], "resource_access": { "Gitea": { "roles": [ "gitea-admin" ] } }, "scope": "openid profile email", "sid": "6943341b-488b-4880-8e7e-148d21035364", "email_verified": false, "gitea-group": [ "gitea-admin" ], "name": "NetCICD Godmode Godmode", "gitea-admin": [ "gitea-admin" ], "preferred_username": "netcicd", "given_name": "NetCICD Godmode", "family_name": "Godmode", "email": "netcicd@tooling.test" } And for an ordinary user: { "exp": 1643059860, "iat": 1643059560, "auth_time": 1643059560, "jti": "9797e414-4a90-4068-b508-dd660f6d8413", "iss": "http://keycloak.tooling.test:8080/auth/realms/netcicd", "sub": "599b0c23-56f1-427d-a4d1-fe6a601d72cc", "typ": "Bearer", "azp": "Gitea", "session_state": "cd5cd945-422d-46b3-bd3c-1fa8311ae52a", "acr": "1", "allowed-origins": [ "http://gitea.tooling.test:3000/" ], "resource_access": { "Gitea": { "roles": [ "gitea-netcicd-read" ] } }, "scope": "openid profile email", "sid": "cd5cd945-422d-46b3-bd3c-1fa8311ae52a", "email_verified": false, "gitea-group": [ "gitea-netcicd-read" ], "name": "Net Dude Dude", "gitea-admin": [ "gitea-netcicd-read" ], "preferred_username": "netdude", "given_name": "Net Dude", "family_name": "Dude", "email": "netdude@tooling.test" } and as shown, the ordinary user is in the group gitea-netcicd-read, this group has read access: ![Screenshot from 2022-01-24 22-32-11](https://user-images.githubusercontent.com/46484069/150868472-58dbd553-dd54-45e9-8afa-58e4d6deef38.png) but cannot see the repo: ![Screenshot from 2022-01-24 22-35-17](https://user-images.githubusercontent.com/46484069/150868791-88b64f49-1116-4e0e-a5cc-f540cff47933.png) It would be much more convenient if the implementation would just read the default resource_access claim for the Client_ID where the roles are the group names...
GiteaMirror commented 2025-11-02 08:04:52 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jan 24, 2022):

The rendering in your screenshots appears to be a little odd.

Do you have old custom templates?

@zeripath commented on GitHub (Jan 24, 2022): The rendering in your screenshots appears to be a little odd. Do you have old custom templates?
GiteaMirror commented 2025-11-02 08:04:52 -06:00
Author
Owner
Copy Link

@netcicd commented on GitHub (Jan 25, 2022):

Hi Zeripath,
No custom templates, just the container I downloaded from docker hub. I selected the relevant portions of the screens.
What I'll do is purge my docker images and rebuild.
Nothing changed after rebuild in the images...

@netcicd commented on GitHub (Jan 25, 2022): Hi Zeripath, No custom templates, just the container I downloaded from docker hub. I selected the relevant portions of the screens. What I'll do is purge my docker images and rebuild. Nothing changed after rebuild in the images...
GiteaMirror commented 2025-11-02 08:04:52 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Jan 25, 2022):

OK the edit page template looks to have suffered a conflict merge at some point and it got broke.

diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index a9942354c..efa440ff3 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -286,6 +286,10 @@
 							<input id="skip_local_two_fa" name="skip_local_two_fa" type="checkbox" {{if $cfg.SkipLocalTwoFA}}checked{{end}}>
 							<p class="help">{{.i18n.Tr "admin.auths.skip_local_two_fa_helper"}}</p>
 						</div>
+					</div>
+					<div class="oauth2_use_custom_url inline field">
+						<div class="ui checkbox">
+							<label><strong>{{.i18n.Tr "admin.auths.oauth2_use_custom_url"}}</strong></label>
 							<input id="oauth2_use_custom_url" name="oauth2_use_custom_url" type="checkbox" {{if $cfg.CustomURLMapping}}checked{{end}}>
 						</div>
 					</div>

would fix the template.

@zeripath commented on GitHub (Jan 25, 2022): OK the edit page template looks to have suffered a conflict merge at some point and it got broke. ```patch diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl index a9942354c..efa440ff3 100644 --- a/templates/admin/auth/edit.tmpl +++ b/templates/admin/auth/edit.tmpl @@ -286,6 +286,10 @@ <input id="skip_local_two_fa" name="skip_local_two_fa" type="checkbox" {{if $cfg.SkipLocalTwoFA}}checked{{end}}> <p class="help">{{.i18n.Tr "admin.auths.skip_local_two_fa_helper"}}</p> </div> + </div> + <div class="oauth2_use_custom_url inline field"> + <div class="ui checkbox"> + <label><strong>{{.i18n.Tr "admin.auths.oauth2_use_custom_url"}}</strong></label> <input id="oauth2_use_custom_url" name="oauth2_use_custom_url" type="checkbox" {{if $cfg.CustomURLMapping}}checked{{end}}> </div> </div> ``` would fix the template.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#8399
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?