search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
45.24k stars 5.5k forks source link

Enhancing Gitea OAuth2 Provider with Granular Scopes for Resource Access #32573

Closed marcellmars closed 4 hours ago

marcellmars commented 2 days ago

Resolve #31609

This PR was initiated following my personal research to find the lightest possible Single Sign-On solution for self-hosted setups. The existing solutions often seemed too enterprise-oriented, involving many moving parts and services, demanding significant resources while promising planetary-scale capabilities. Others were adequate in supporting basic OAuth2 flows but lacked proper user management features, such as a change password UI.

Gitea hits the sweet spot for me, provided it supports more granular access permissions for resources under users who accept the OAuth2 application.

This PR aims to introduce granularity in handling user resources as nonintrusively and simply as possible. It allows third parties to inform users about their intent to not ask for the full access and instead request a specific, reduced scope. If the provided scopes are only the typical ones for OIDC/OAuth2—openid, profile, email, and groups—everything remains unchanged (currently full access to user's resources). Additionally, this PR supports processing scopes already introduced with personal tokens (e.g. read:user, write:issue, read:group, write:repository...)

Personal tokens define scopes around specific resources: user info, repositories, issues, packages, organizations, notifications, miscellaneous, admin, and activitypub, with access delineated by read and/or write permissions.

The initial case I wanted to address was to have Gitea act as an OAuth2 Identity Provider. To achieve that, with this PR, I would only add openid public-only to provide access token to the third party to authenticate the Gitea's user but no further access to the API and users resources.

Another example: if a third party wanted to interact solely with Issues, it would need to add read:user (for authorization) and read:issue/write:issue to manage Issues.

My approach is based on my understanding of how scopes can be utilized, supported by examples like Sample Use Cases: Scopes and Claims on auth0.com.

I renamed CheckOAuthAccessToken to GetOAuthAccessTokenScopeAndUserID so now it returns AccessTokenScope and user's ID. In the case of additional scopes in userIDFromToken the default all would be reduced to whatever was asked via those scopes. The main difference is the opportunity to reduce the permissions from all, as is currently the case, to what is provided by the additional scopes described above.

Screenshots:

Screenshot_20241121_121405

Screenshot_20241121_120211

Screenshot_20241121_120119

Screenshot_20241121_120018

wxiaoguang commented 1 day ago

By the way, no need to rebase or force push after reviewing starts (it makes the review more difficult). https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md#maintaining-open-prs

Just push new commits, and the final merge will squash.

marcellmars commented 1 day ago

By the way, no need to rebase or force push after reviewing starts (it makes the review more difficult). https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md#maintaining-open-prs

Just push new commits, and the final merge will squash.

thank you for your patience. this is my first pull request and i still learn it.

lunny commented 1 day ago

Could we have a screenshot of the new grant page?

lunny commented 1 day ago

Please send a update doc PR to https://gitea.com/gitea/docs

marcellmars commented 21 hours ago

Could we have a screenshot of the new grant page?

Screenshot_20241121_121405

Screenshot_20241121_120211

Screenshot_20241121_120119

Screenshot_20241121_120018

lunny commented 17 hours ago

Could we have a screenshot of the new grant page?

Screenshot_20241121_121405

Screenshot_20241121_120211

Screenshot_20241121_120119

Screenshot_20241121_120018 Igh>

Thank you. The permissions should be highlighted,maybe a bold font?

marcellmars commented 16 hours ago

Please send a update doc PR to https://gitea.com/gitea/docs

https://gitea.com/gitea/docs/pulls/102

marcellmars commented 14 hours ago

Thank you. The permissions should be highlighted,maybe a bold font?

committed.

lunny commented 14 hours ago

Please don't add HTML tags in translations. You can

{{ctx.Locale.Tr "auth.authorize_application_with_scopes" (HTMLFormat "<b>%s</b>" .Scope)}}

We have plan to remove all HTML tags from the previous translations.

marcellmars commented 14 hours ago 
{{ctx.Locale.Tr "auth.authorize_application_with_scopes" (HTMLFormat "<b>%s</b>" .Scope)}}

We have plan to remove all HTML tags from the previous translations.

great. i opened translations and few lines below there was some html. so i just copied the pattern ;)