search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
44.91k stars 5.48k forks source link

Oauth2 OpenID Connect authentication source - redirect fails sending user to gitea instead of auth service resulting in 404 #32353

Closed hulto closed 1 week ago

hulto commented 1 week ago

Description

I'm trying to configure gitea with my vault server as an authentication source using Oauth2. I followed the prompts under: Identity & Access > Authentication Sources > Add Authentication Source

Authentication Type: OAuth2
Authentication Name: Vault2
OAuth2 Provider: OpenID Connect
Client ID (Key): wWOeykAzVxxRDJpQEGRVnuYtef0Au6HZ
Client Secret: [Redacted]
Skip local 2FA: True

When I login to gitea with my custom Oauth2 source. Sign in > Sign in > Sign in with vault2

gitea redirects me to: http:/// Instead of the expected: https:///

Resulting in a 404.

Gitea Version

1.22.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

Auth source configuration image

openid-configuration JSON image

Signing in with OpenID vault2 image

Unexpected 404 error image

http://git.galaxygridlabs.com:3000/ui/vault/identity/oidc/provider/default/authorize?client_id=wWOeykAzVxxRDJpQEGRVnuYtef0Au6HZ&redirect_uri=http%3A%2F%2Fgit.galaxygridlabs.com%3A3000%2Fuser%2Foauth2%2Fvault2%2Fcallback&response_type=code&scope=openid&state=b0ad9b74-e2a9-4d4f-ae54-6e9e6baff1ec

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker image docker.io/gitea/gitea:1.22.3@sha256:76f516a1a8c27e8f8e9773639bf337c0176547a2d42a80843e3f2536787341c6 Using GCP COS.

Setup with pulumi golang.

func NewGitea(ctx *pulumi.Context, gcpProject string, gcpRegion string, resourceId string) (*Gitea, error) {
    // Setup boiler plate
    gitRes := &Gitea{
        Id: resourceId,
    }

    err := ctx.RegisterComponentResource(fmt.Sprintf("pkg:index:gcp:Gitea:%s", resourceId), "gitea", gitRes)
    if err != nil {
        return nil, err
    }

    // Create gitea storage disk
    dataDisk, err := compute.NewDisk(ctx, "giteadata", &compute.DiskArgs{
        Size: pulumi.Int(giteaDataDiskSizeGB),
    })
    if err != nil {
        return nil, err
    }

    specStr := `
spec:
  containers:
  - name: gitea
    image: docker.io/gitea/gitea:1.22.3@sha256:76f516a1a8c27e8f8e9773639bf337c0176547a2d42a80843e3f2536787341c6
    env:
    - name: DISABLE_REGISTRATION
      value: 'true'
    - name: USER_UID
      value: '1000'
    - name: USER_GID
      value: '1000'
    volumeMounts:
    - name: pd-0
      readOnly: false
      mountPath: /data
    stdin: false
    tty: false
  volumes:
  - name: pd-0
    gcePersistentDisk:
      pdName: giteadata
      fsType: ext4
      partition: 0
      readOnly: false`

    containerSpec, err := common.NewSpec(ctx, "giteaspec", specStr, resourceId, nil)
    if err != nil {
        return nil, err
    }

    // Create new Container Optomized OS VM - running gitea
    instance, err := compute.NewInstance(ctx, "gitea", &compute.InstanceArgs{
        MachineType: pulumi.String("f1-micro"),
        BootDisk: compute.InstanceBootDiskArgs{
            InitializeParams: compute.InstanceBootDiskInitializeParamsArgs{
                Image: pulumi.String("projects/cos-cloud/global/images/cos-stable-113-18244-151-9"),
                Size:  pulumi.Int(10),
            },
        },
        AttachedDisks: compute.InstanceAttachedDiskArray{
            compute.InstanceAttachedDiskArgs{
                DeviceName: pulumi.String("giteadata"),
                Mode:       pulumi.String("READ_WRITE"),
                Source:     dataDisk.Name,
            },
        },
        NetworkInterfaces: compute.InstanceNetworkInterfaceArray{
            compute.InstanceNetworkInterfaceArgs{
                AccessConfigs: compute.InstanceNetworkInterfaceAccessConfigArray{
                    &compute.InstanceNetworkInterfaceAccessConfigArgs{ // PREMIUM Tier doesn't allocate an ephemeral IP.
                        NatIp:       pulumi.String(""),
                        NetworkTier: pulumi.String("STANDARD"),
                    },
                },
                Subnetwork: pulumi.String("default"),
                StackType:  pulumi.String("IPV4_ONLY"),
            },
        },
        ServiceAccount: compute.InstanceServiceAccountArgs{
            Scopes: pulumi.ToStringArray([]string{
                "https://www.googleapis.com/auth/cloud-platform",
            }),
        },
        AllowStoppingForUpdate: pulumi.Bool(true),
        Metadata: pulumi.StringMap{
            "gce-container-declaration": pulumi.String(containerSpec.Spec),
            "google-logging-enabled":    pulumi.String("false"),
            // "user-data":                 cloudInitMetadata.Rendered,
        },
        Tags: pulumi.ToStringArray([]string{}),
    }, pulumi.Parent(gitRes), pulumi.DeleteBeforeReplace(true), pulumi.ReplaceOnChanges([]string{"metadata"}))
    if err != nil {
        return nil, err
    }

    gitRes.MapOutput = pulumi.Map{
        "url": instance.NetworkInterfaces,
    }
    ctx.RegisterResourceOutputs(gitRes, gitRes.MapOutput)
    return gitRes, nil
}

Database

SQLite

lunny commented 1 week ago

Please confirm your ROOT_URL is the right one.

wxiaoguang commented 1 week ago

http://git.galaxygridlabs.com:3000/ui/vault/identity/oidc/provider/default/authorize?client_id=wWOeykAzVxxRDJpQEGRVnuYtef0Au6HZ&redirect_uri=http%3A%2F%2Fgit.galaxygridlabs.com%3A3000%2Fuser%2Foauth2%2Fvault2%2Fcallback&response_type=code&scope=openid&state=b0ad9b74-e2a9-4d4f-ae54-6e9e6baff1ec

It is "vault"'s problem. According to OIDC spec, the URLs in the "well-known openid configuration" should be a FULL URL.

https://openid.net/specs/openid-connect-discovery-1_0.html

But your vault only responds a relative path without scheme or host.

hulto commented 1 week ago

Ahh thanks @wxiaoguang you're totally right.