search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
43.33k stars 5.33k forks source link

Implement PKCE for OpenID Connect - Unable to login with LogTo #21376

Open mhkarimi1383 opened 1 year ago

mhkarimi1383 commented 1 year ago

Description

Hi, I want to connect my Gitea instance to Logto OpenID connect but I'm getting 421 status code with the error below in gitea container logs

2022/10/08 09:53:16 ...rs/web/auth/oauth.go:834:SignInOAuthCallback() [I] [63411754] Failed OAuth callback: (invalid_request) Authorization Server policy requires PKCE to be used for this request

I'm not able to do it in demo site since my logto instance is not fully available in public

Gitea Version

1.17.2

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker Container

Database

PostgreSQL

zeripath commented 1 year ago

Unfortunately the upstream library we use https://github.com/markbates/goth doesn't appear to implement PKCE authentication for OpenIDConnect - and therefore it looks like we don't support it.

I'm not certain because although I've read the OAuth specs several times it was a while ago, but I'm not certain that it would necesarily be too difficult to implement.

mhkarimi1383 commented 1 year ago

I think someone fixed that for zoom authentication https://github.com/markbates/goth/pull/459 I think it's good to make it for OpenID Connect too...

mhkarimi1383 commented 1 year ago

I created an issue in https://github.com/markbates/goth: https://github.com/markbates/goth/issues/473 we can close this one I think Or Keep it open and wait for update...

zeripath commented 1 year ago

We should keep this issue open as a marker to add the changes once the associated PR is merged.

sedadas commented 1 year ago

Hello, I would also like to see this implemented. I am attempting to use ownCloud Infinite Scale with Gitea as an IDP, but it does not work, because OICS only supports login with PKCE: https://github.com/owncloud/ocis/issues/2445 What would be the effort, given that Gitea is now also using a version of goth that supports this?

lunny commented 1 year ago

Gitea now are using 1.76.0 which have included markbates/goth#474 . So this has been resolved? @zeripath @techknowlogick

techknowlogick commented 1 year ago

per the comment in https://github.com/go-gitea/gitea/pull/21426#issuecomment-1406611217, work needs to be done on Gitea's side to be able to support this.

djpbessems commented 11 months ago

Is there a milestone or ETA for this planned? I would like to use Pinniped with Gitea, but it's incompatible at the moment.