search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
45.36k stars 5.51k forks source link

When using an external OIDC provider, such as Authelia, the port number 9443 is missing. #32019

Open lxp135 opened 2 months ago

lxp135 commented 2 months ago

Description

When using an external OIDC provider, such as Authelia, accessing https://xxx.com:9443/.well-known/openid-configuration returns the following JSON:

{
  "issuer": "https://xxx.com:9443",
  "jwks_uri": "https://xxx.com:9443/jwks.json",
  "authorization_endpoint": "https://xxx.com:9443/api/oidc/authorization",
  "token_endpoint": "https://xxx.com:9443/api/oidc/token",
  "subject_types_supported": ["public", "pairwise"],
  "response_types_supported": ["code", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"],
  "grant_types_supported": ["authorization_code", "implicit", "client_credentials", "refresh_token"],
  "response_modes_supported": ["form_post", "query", "fragment", "jwt", "form_post.jwt", "query.jwt", "fragment.jwt"],
  "scopes_supported": ["offline_access", "openid", "profile", "groups", "email"],
  "claims_supported": ["amr", "aud", "azp", "client_id", "exp", "iat", "iss", "jti", "rat", "sub", "auth_time", "nonce", "email", "email_verified", "alt_emails", "groups", "preferred_username", "name"],
  "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none"],
  "token_endpoint_auth_signing_alg_values_supported": ["HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512"],
  "introspection_endpoint": "https://xxx.com:9443/api/oidc/introspection",
  "revocation_endpoint": "https://xxx.com:9443/api/oidc/revocation",
  "introspection_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt"],
  "revocation_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none"],
  "revocation_endpoint_auth_signing_alg_values_supported": ["HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512"],
  "code_challenge_methods_supported": ["S256"],
  "authorization_response_iss_parameter_supported": true,
  "introspection_signing_alg_values_supported": ["RS256", "none"],
  "pushed_authorization_request_endpoint": "https://xxx.com:9443/api/oidc/pushed-authorization-request",
  "require_pushed_authorization_requests": false,
  "id_token_signing_alg_values_supported": ["RS256", "none"],
  "userinfo_endpoint": "https://xxx.com:9443/api/oidc/userinfo",
  "userinfo_signing_alg_values_supported": ["RS256", "none"],
  "request_object_signing_alg_values_supported": ["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "none"],
  "claim_types_supported": ["normal"],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "claims_parameter_supported": false,
  "prompt_values_supported": ["none", "consent"],
  "authorization_signing_alg_values_supported": ["RS256"]
}

When requesting https://gitea.ooo.com:9443/user/oauth2/Authelia, the Response Headers include the Location:

https://xxx.com/api/oidc/authorization?client_id=gitea&redirect_uri=https%3A%2F%2Fgitea.ooo.com%3A9443%2Fuser%2Foauth2%2FAuthelia%2Fcallback&response_type=code&scope=openid&state=908767eb-xxxx-xxxx-xxxx-55657982bb0e

However, the port number 9443 is missing.

Gitea Version

1.22.2 built with GNU Make 4.4.1, go1.22.6 : bindata, timetzdata, sqlite, sqlite_unlock_notify

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

微信截图_20240910162738 微信截图_20240910163118

Git Version

2.45.2

Operating System

unraid 7.0.0

How are you running Gitea?

docker

Database

None

yp05327 commented 2 months ago

I cannot understand. Where the port number 9443 is missing? The redirect_uri?

wxiaoguang commented 2 months ago

If a Gitea's "port" is missing, for >99%, the user doesn't follow Gitea's document: https://docs.gitea.com/administration/reverse-proxies , some HTTP headers are wrong. And I guess the "self check" page might also say something wrong.

If there HTTP headers are right and nothing wrong is reported by "self check" page, please clarify the problem you met.

wxiaoguang commented 2 months ago

For my understanding, I think the author meant this:

  1. An OIDC provider Authelia at https://xxx.com:9443
  2. Gitea instance at https://gitea.cloud.com:9443
  3. Make Gitea use https://xxx.com:9443/.well-known/openid-configuration to setup OIDC
  4. Confirmed that the URLs in https://xxx.com:9443/.well-known/openid-configuration are all right
    • eg: authorization_endpoint: https://xxx.com:9443/api/oidc/authorization
  5. Try to login to Gitea, but Gitea responds Location: https://xxx.com/api/oidc/authorization?client_id=gitea&... , which is not the URL declared in the well-known configuration (the :9443 is missing in https://xxx.com/)