OAuth 2.0 - Azure AD v2 - responded with a 403 trying to fetch user information #9765

Closed
opened 2025-11-02 08:48:55 -06:00 by GiteaMirror · 5 comments
Owner

Originally created by @constantin-baciu on GitHub (Nov 1, 2022).

Description

I'm trying to setup OAuth 2.0 against my corporate Azure AD.
I'm using Azure AD V2. I've added the application in Azure AD and now I'm trying to configure my Gitea install to do that.

The Client ID, Secret and tenant are OK.
The return URL is https://base_url/user/oauth2/authentication_name/callback

But, when I try to login, Gitea presents me a http500.
Looking at the logs, I see this:

UserSignIn: <authentication name> responded with a 403 trying to fetch user information

Meanwhile, the Azure AD logs show my successful login attempt.

I dug a little deeper and I've found that the MS Graph URL used is https://graph.microsoft.com/v1.0/
Some other applications I have setup to use OAuth 2 against the same Azure tenant are using another URL: https://graph.microsoft.com/oidc/userinfo

Comparing the Azure setup for the Gitea integration with the others we've implemented, there's nothing different.

I wonder if there's something that needs to happen on Azure AD for this to work. I can't find any documentation on the Gitea website about how to set things up.

Screenshots

image

Gitea Version

1.18.rc0

Can you reproduce the bug on the Gitea demo site?

No

Operating System

No response

Browser Version

Chrome (latest), Edge (latest)

Originally created by @constantin-baciu on GitHub (Nov 1, 2022). ### Description I'm trying to setup OAuth 2.0 against my corporate Azure AD. I'm using Azure AD V2. I've added the application in Azure AD and now I'm trying to configure my Gitea install to do that. The Client ID, Secret and tenant are OK. The return URL is https://base_url/user/oauth2/authentication_name/callback But, when I try to login, Gitea presents me a http500. Looking at the logs, I see this: `UserSignIn: <authentication name> responded with a 403 trying to fetch user information` Meanwhile, the Azure AD logs show my successful login attempt. I dug a little deeper and I've found that the MS Graph URL used is https://graph.microsoft.com/v1.0/ Some other applications I have setup to use OAuth 2 against the same Azure tenant are using another URL: https://graph.microsoft.com/oidc/userinfo Comparing the Azure setup for the Gitea integration with the others we've implemented, there's nothing different. I wonder if there's something that needs to happen on Azure AD for this to work. I can't find any documentation on the Gitea website about how to set things up. ### Screenshots ![image](https://user-images.githubusercontent.com/46529909/199331333-bd93eb7b-a37d-4736-8ca1-63f711dfb568.png) ### Gitea Version 1.18.rc0 ### Can you reproduce the bug on the Gitea demo site? No ### Operating System _No response_ ### Browser Version Chrome (latest), Edge (latest)
GiteaMirror added the type/bugtopic/ui labels 2025-11-02 08:48:55 -06:00
Author
Owner

@KN4CK3R commented on GitHub (Nov 2, 2022):

This error is returned by the upstream library: https://github.com/markbates/goth
You changed the return url for this issue?

@KN4CK3R commented on GitHub (Nov 2, 2022): This error is returned by the upstream library: https://github.com/markbates/goth You changed the return url for this issue?
Author
Owner

@constantin-baciu commented on GitHub (Nov 2, 2022):

Yes, I know it's an upstream library.
Yes, I did change the URL. (I've just corrected the issue description to remove some formatting)

@constantin-baciu commented on GitHub (Nov 2, 2022): Yes, I know it's an upstream library. Yes, I did change the URL. (I've just corrected the issue description to remove some formatting)
Author
Owner

@constantin-baciu commented on GitHub (Nov 2, 2022):

I wonder if I have to add the UserRead scope, like the lib uses by default.
See here

@constantin-baciu commented on GitHub (Nov 2, 2022): I wonder if I have to add the UserRead scope, like the lib uses by default. See [here](https://github.com/markbates/goth/blob/0aa007869f9a11bd1d40a5a61c9b7ed235597903/providers/azureadv2/azureadv2.go#:~:text=defaultScopes%20%3A%3D%20scopesToStrings(OpenIDScope%2C%20ProfileScope%2C%20EmailScope%2C%20UserReadScope))
Author
Owner

@chrisunterricht commented on GitHub (Jul 18, 2023):

Is there any update on this as I run into the exact same problem.

@chrisunterricht commented on GitHub (Jul 18, 2023): Is there any update on this as I run into the exact same problem.
Author
Owner

@LufinityLucas commented on GitHub (Apr 8, 2025):

I started to get this issue today as well. Same error message. I tried revert Gitea several versions, but without luck.
I while back, I actualy got an e-mail from Microsoft telling me that I have one application using the legacy "Azure AD Graph API" which needs to be switched to the new "Microsoft Graph". That app is Gitea.

EDIT How silly of me! 😄 There was an option to switch to Azure version 2 in Gitea. All is fine now.

@LufinityLucas commented on GitHub (Apr 8, 2025): I started to get this issue today as well. Same error message. I tried revert Gitea several versions, but without luck. I while back, I actualy got an e-mail from Microsoft telling me that I have one application using the legacy "Azure AD Graph API" which needs to be switched to the new "Microsoft Graph". That app is Gitea. **EDIT** How silly of me! 😄 There was an option to switch to Azure version 2 in Gitea. All is fine now.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#9765