Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth2 provider "userinfo" support #8534

Closed
carlokok opened this issue Oct 16, 2019 · 27 comments
Closed

OAuth2 provider "userinfo" support #8534

carlokok opened this issue Oct 16, 2019 · 27 comments
Assignees
Labels
issue/bounty This issue has a bounty associated. Whoever opens a PR and gets it merged can claim the bounty. issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented topic/authentication type/enhancement An improvement of existing functionality
Milestone

Comments

@carlokok
Copy link

Gitea has an OAuth2 provider that can be used to connect applications. ConcourseCI requires that Gitea has a "userinfo" endpoint though, which it currently does not provide. userinfo seems to be fairly simple (https://connect2id.com/products/server/docs/api/userinfo) and part of openid connect (there is a separate issue from someone else to provide that)/

@lafriks lafriks added the type/enhancement An improvement of existing functionality label Oct 16, 2019
@lafriks lafriks added this to the 1.11.0 milestone Oct 16, 2019
@lafriks lafriks self-assigned this Oct 16, 2019
@fizzyduck
Copy link

I've been trying to set up vouch-proxy https://github.com/vouch/vouch-proxy/ to use Gitea as an OAuth2 provider ant it also seems to require the "userinfo" endpoint.

@sikmir
Copy link

sikmir commented Nov 12, 2019

The same problem with Wekan, it also requires the "userinfo" endpoint.

@lunny
Copy link
Member

lunny commented Nov 13, 2019

In fact we have one https://gitea.com/api/swagger#/user/userGetCurrent , but It may not satisfied the standard.

@sikmir
Copy link

sikmir commented Nov 13, 2019

In fact we have one https://gitea.com/api/swagger#/user/userGetCurrent , but It may not satisfied the standard.

Expected request/response:

>> GET /login/oauth/userinfo
Authorization: Basic <access_token>
Accept: application/json

<< HTTP/1.1 200 OK
Content-Type: application/json

{
    "sub": "248289761001",
    "name": "Jane Doe",
    "preferred_username": "j.doe",
    "email": "[email protected]",
    "picture": "http://example.com/janedoe/me.jpg"
}

@6543
Copy link
Member

6543 commented Nov 13, 2019

sub = ?!?
name = user.full_name
preferred_username = user.username
email = user.email
picture = user.avatar_url

@aaronpk
Copy link

aaronpk commented Feb 2, 2020

sub is short for "subject" and is supposed to be a unique identifier for the user account, not necessarily something human readable. You could use an internal database ID for example.

@stale
Copy link

stale bot commented Apr 2, 2020

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

@stale stale bot added the issue/stale label Apr 2, 2020
@sikmir
Copy link

sikmir commented Apr 2, 2020

Keep it open.

@stale stale bot removed the issue/stale label Apr 2, 2020
@lunny lunny added the issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented label Apr 3, 2020
@ppaulweber
Copy link

@lafriks what's the status about this issue and referenced PRs? I was trying to integrate Gitea with Concourse CI but it seems that still the missing userinfo endpoint in the latest gitea release is a showstopper for a proper OAuth integration.

@kevung
Copy link

kevung commented Dec 10, 2020

I confirm this would be very useful to use in combination with Jupyterhub.
https://oauthenticator.readthedocs.io/en/latest/writing-an-oauthenticator.html
https://oauthenticator.readthedocs.io/en/latest/getting-started.html

@reivilibre
Copy link

Another instance where this would be useful is with setting up Grafana to use Gitea with OAuth, which also expects an OpenID-compatible 'UserInfo' endpoint.

https://grafana.com/docs/grafana/latest/auth/generic-oauth/

@lunny
Copy link
Member

lunny commented Jan 18, 2021

@mcansky
Copy link

mcansky commented Mar 3, 2021

would a bounty help to get this moving ?
this would be really useful to advocate for Gitea by showing it works for a bunch more other services properly.

@6543
Copy link
Member

6543 commented Mar 3, 2021

@mcansky bounty's do help, even smal one show that this is valued ...

@mcansky
Copy link

mcansky commented Mar 4, 2021

@mcansky bounty's do help, even smal one show that this is valued ...

ok, I will organise one through https://www.bountysource.com/issues/82089047-oauth2-provider-userinfo-support ? I will check how exactly that works on the accounting side;
how is the usual "load" of the developers on the project ? are some of you all the time on it or is it mostly "on the side" ?

@6543
Copy link
Member

6543 commented Mar 4, 2021

It's all free spare time (If one is left 🙃)
-> "on the side"

@mcansky
Copy link

mcansky commented Mar 9, 2021

ok, let's do this :D there is now a $100 bounty on this feature; my main interest is to get OAuth2 provider features complete so that other tools can fully use Gitea as OAuth2 provider such as ConcourseCI as this is a blocking point for my company to get the pair to match as part of Git Hosting + CI/CD offerings.

@techknowlogick techknowlogick added the issue/bounty This issue has a bounty associated. Whoever opens a PR and gets it merged can claim the bounty. label Mar 9, 2021
@titpetric
Copy link

I added the userinfo endpoint in the PR. It isn't tested, but as long as ctx.User is filled out on the request, this should be it. From what I understand, the reqSignIn in the /login/oauth group definition should fill this out.

Do you have the ability to test the PR (build with make and test?).

@mcansky
Copy link

mcansky commented Mar 10, 2021

all right, let's see how the PR goes, and in the meantime I will get something ready to test; thanks a lot for your prompt action !

NLH-Software pushed a commit to NLH-Software/gitea that referenced this issue May 4, 2021
@NLH-Software
Copy link
Contributor

I've needed a correct working userinfo endpoint to secure a location at my webspace with the openid authorization from gitea. So I developed a working and complete solution which checks against the valid token. I pushed it today and created a pull request.
For testing, just checkout the version from my source branch, build it (tested on arm64 and amd64) and use it on your environment.
Maybe I will add the usage of the scope later. (so an admin can select which field he requests from gitea)

Should fix this issue.

techknowlogick pushed a commit that referenced this issue May 6, 2021
* Implemented userinfo #8534

* Make lint happy

* Add userinfo endpoint to openid-configuration

* Give an error when uid equals 0

* Implemented BearerTokenErrorCode handling

* instead of ctx.error use ctx.json so that clients
parse error and error_description correctly

* Removed unneeded if statement

* Use switch instead of subsequent if statements
Have a default for unknown errorcodes.

Co-authored-by: Nils Hillmann <[email protected]>
Co-authored-by: nlhsoftware <[email protected]>
@techknowlogick
Copy link
Member

Closing as both linked PRs are now merged. @NLH-Software if you are bountyhub you can claim the bounty.

@mcansky
Copy link

mcansky commented May 6, 2021

thank you all !!

@fizzyduck
Copy link

fizzyduck commented May 6, 2021 via email

@ppaulweber
Copy link

Thx @NLH-Software 🙏 I'll give it a try ASAP for my use case (see: #8534 (comment)).

@NLH-Software
Copy link
Contributor

Thx @NLH-Software 🙏 I'll give it a try ASAP for my use case (see: #8534 (comment)).

If you have problems, let me know and we can find out, which configuration is needed.

@lunny lunny modified the milestones: 1.x.x, 1.15.0 Jun 1, 2021
@mcansky
Copy link

mcansky commented Jun 19, 2021

I tested out adding gitea as Oauth provider for a concourse ci setup with docker; I followed https://docs.gitea.io/en-us/oauth2-provider/ and https://concourse-ci.org/generic-oauth.html Unfortunately I am still getting an error :

image

I used a freshly built docker image (mcansky/gitea:latest) locally. Happy to do a debug session one of these days if it can help figure out something.

@NLH-Software
Copy link
Contributor

I tested out adding gitea as Oauth provider for a concourse ci setup with docker; I followed https://docs.gitea.io/en-us/oauth2-provider/ and https://concourse-ci.org/generic-oauth.html Unfortunately I am still getting an error :

image

I used a freshly built docker image (mcansky/gitea:latest) locally. Happy to do a debug session one of these days if it can help figure out something.

Can you try https://concourse-ci.org/generic-oidc-auth.html for setup? Probably this should work. Implemented is the userinfo like in the comment from november 19 and described at https://openid.net/specs/openid-connect-core-1_0.html#UserInfo mentioned by lunny.

I tested it successfully with grafana and mod_auth_openidc for apache, so I think you must use the oidc authentication variant.

AbdulrhmnGhanem pushed a commit to kitspace/gitea that referenced this issue Aug 10, 2021
* Implemented userinfo go-gitea#8534

* Make lint happy

* Add userinfo endpoint to openid-configuration

* Give an error when uid equals 0

* Implemented BearerTokenErrorCode handling

* instead of ctx.error use ctx.json so that clients
parse error and error_description correctly

* Removed unneeded if statement

* Use switch instead of subsequent if statements
Have a default for unknown errorcodes.

Co-authored-by: Nils Hillmann <[email protected]>
Co-authored-by: nlhsoftware <[email protected]>
@go-gitea go-gitea locked and limited conversation to collaborators Oct 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
issue/bounty This issue has a bounty associated. Whoever opens a PR and gets it merged can claim the bounty. issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented topic/authentication type/enhancement An improvement of existing functionality
Projects
None yet
Development

No branches or pull requests