search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
44.44k stars 5.43k forks source link

Support mailcow as oauth provider #12435

Closed thisni1s closed 2 years ago

thisni1s commented 4 years ago

Description

I tried getting Gitea to authenticate against a Mailcow OAuth Server and encountered the following strange problem: The instance has no user registered besides the admin user. When I try to register the first real user everything works fine, i can login to my Mailcow account and grant Gitea access. After that i am asked to enter a username and email address for Gitea, which i enter and press register. I can then use Gitea.

Now the problem comes when i try to register the second user. Everything seems to work fine also, but after granting Gitea access to my account i am taken straight to the dashboard without entering a username or email adress. AND i am for whatever reason logged in as the first User! I can even create repos etc.

I don't think that this is expected behavior even if Mailcow isnt an officially supported OAuth Provider

techknowlogick commented 4 years ago

What provider did you tell Gitea that Mailcow was?

thisni1s commented 4 years ago

I tried Gitea and Nextcloud as Providers, with custom URLs of course

lafriks commented 4 years ago

What info does mailcow token contains?

thisni1s commented 4 years ago

First an authorization code is attached to the redirect url like this: https://myredirecturi.com/cb?code=yourcode&state=xyz

Then you can request an access token i.e. with curl
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&code=yourcode&redirect_uri=https://example.com/oauth/callback&client_id=youclientid&client_secret=yoursecret" https://mail.example.com/oauth/token

Mailcow will answer with an access token:
{"access_token":"abctokenabc","expires_in":86400,"token_type":"Bearer","scope":"profile","refresh_token":"abcrefreshtokenabc"}

Then you can get the user info from /oauth/profile and the access token as Bearer token. Mailcow will answer with:

{ "success": true, "username": "test@example.com", "identifier": "test@example.com", "email": "test@example.com", "full_name": "test", "displayName": "test", "created": "2020-06-29 15:15:30", "modified": "2020-08-04 23:36:53", "active": 1 }

I however noticed, that the answer has text/html as content type and not application/json and appending ?format=json like you do in the nextcloud queries does not work.

Also this is the OAuth library used by mailcow: oauth2-server-php

techknowlogick commented 4 years ago

as there are two issues present here, 1. supporting mailcow, and 2. logging into the wrong account, before we go down the rabbit hole of "lets debug a non-supported provider" lets first confirm the broken behaviour in a working provider. @NilsKempen are you able to confirm this behaviour with Github as a provider (or another provider known to work).

thisni1s commented 4 years ago

No, i just tried Github and Google and both seem top work fine.

techknowlogick commented 4 years ago

I will change this to just the first issue then of supporting mailcow in that case.

6543 commented 3 years ago

@NilsKempen would be nice if you could open an issue at https://github.com/markbates/goth/issues/new