go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
44.96k stars 5.48k forks source link

OIDC custom url for token and auth #29317

Open adriy-be opened 8 months ago

adriy-be commented 8 months ago

Feature Description

Hi, I have deployed zitadel to have an SSO with OpenID in my home lab. So due it's a container I want to put a custom url for token and auth. The internal communication between gitea and zitadel is on a dedicated docker network and use http on port 8080 but the communication with the user use external network (wan) who use https. For example, in nextcloud there is my config : Auth url : https://sso.my.domain/oauth/v2/authorize Token url : http://sso.my.domain:8080/oauth/v2/token

Also, there is my https://sso.my.domain/.well-known/openid-configuration

{"issuer":"https://sso.my.domain","authorization_endpoint":"https://sso.my.domain/oauth/v2/authorize","token_endpoint":"https://sso.my.domain/oauth/v2/token","introspection_endpoint":"https://sso.my.domain/oauth/v2/introspect","userinfo_endpoint":"https://sso.my.domain/oidc/v1/userinfo","revocation_endpoint":"https://sso.my.domain/oauth/v2/revoke","end_session_endpoint":"https://sso.my.domain/oidc/v1/end_session","device_authorization_endpoint":"https://sso.my.domain/oauth/v2/device_authorization","jwks_uri":"https://sso.my.domain/oauth/v2/keys","scopes_supported":["openid","profile","email","phone","address","offline_access"],"response_types_supported":["code","id_token","id_token token"],"grant_types_supported":["authorization_code","implicit","refresh_token","client_credentials","urn:ietf:params:oauth:grant-type:jwt-bearer","urn:ietf:params:oauth:grant-type:device_code"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"request_object_signing_alg_values_supported":["RS256"],"token_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post","private_key_jwt"],"token_endpoint_auth_signing_alg_values_supported":["RS256"],"revocation_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_post","private_key_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["RS256"],"introspection_endpoint_auth_methods_supported":["client_secret_basic","private_key_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["RS256"],"claims_supported":["sub","aud","exp","iat","iss","auth_time","nonce","acr","amr","c_hash","at_hash","act","scopes","client_id","azp","preferred_username","name","family_name","given_name","locale","email","email_verified","phone_number","phone_number_verified"],"code_challenge_methods_supported":["S256"],"ui_locales_supported":["bg","cs","de","en","es","fr","it","ja","mk","nl","pl","pt","ru","zh"],"request_parameter_supported":true,"request_uri_parameter_supported":false}

Thanks

Screenshots

No response

adriy-be commented 8 months ago

I have changed my configuration of zitadel to always use https also for internal container communication. That working, but I think have the possibility to have a custom url should be nice in certain case.

My case is 3 containers, caddy (acme/https), zitadel(sso/openid), and gitea. Both are interconnected with a docker network but only caddy can discuss with the worl on the port 443 and 80.

buckybytes commented 8 months ago

It's possible your meaning was lost in translation, but this seems like this is just a matter of configuring DNS within your internal Docker network. As far as Gitea is concerned, you can set your endpoint URL's to whatever you like for an authentication source:

image