-
-
Notifications
You must be signed in to change notification settings - Fork 415
Provider Setup
When you setup any auth provider, the provider should ask for valid/authorised "Redirect URIs". You should enter all the hosts you will allow authentication from, appended with the url-path (e.g. https://app.example.com/_oauth).
By default, when not using Auth Host Mode, this will be every host in your setup (e.g. https://app1.example.com/_oauth, https://app2.example.com/_oauth)
If you are using Auth Host Mode, this will just be your auth-host (e.g. https://auth.example.com/_oauth)
You can obtain your client credentials from the developer console: https://console.developers.google.com Create a new project then search for and select "Credentials" in the search bar. Fill out the "OAuth Consent Screen" tab. Click "Create Credentials" > "OAuth client ID". Select "Web Application", fill in the name of your app, skip "Authorized JavaScript origins" and fill "Authorized redirect URIs" as per the details in Redirect URIs above.
Use the google provider and set providers.google.client-id and providers.google.client-secret config options.
You should obtain your client credentials by registering an app in the Azure Portal App Registrations, full details of this process can be found here
When registering the app, use the correct redirect URIs as per the details in Redirect URIs above.
Once registered, head to "Manage" > "Certificates & secrets" and then create a new "Client secret" for this application.
Use the oidc prover and set:
| Config Option | Value |
|---|---|
providers.oidc.issuer-url |
https://login.microsoftonline.com/{tenant}/v2.0, where {tenant} is your tenant id, shown as "Directory (tenant) ID" on your app homepage |
providers.oidc.client-id |
"Application (client) ID" on app homepage |
providers.oidc.client-secret |
Created above |
Use the generic-oauth provider and set the following config options:
| Config Option | Value |
|---|---|
providers.generic-oauth.auth-url |
<gitea url>/login/oauth/authorize |
providers.generic-oauth.token-url |
<gitea url>/login/oauth/access_token |
providers.generic-oauth.user-url |
<gitea url>/api/v1/user |
providers.generic-oauth.client-id |
<gitea client id> |
providers.generic-oauth.client-secret |
<gitea client secret> |
providers.generic-oauth.token-style |
query |
You only need to register an "OAuth Application" (as opposed to a full "Github Application"), which you can do here: https://github.com/settings/applications/new
Add your redirect URIs under "User authorization callback URL".
Use the generic-oauth provider and set the following config options:
| Config Option | Value |
|---|---|
providers.generic-oauth.auth-url |
https://github.com/login/oauth/authorize |
providers.generic-oauth.token-url |
https://github.com/login/oauth/access_token |
providers.generic-oauth.user-url |
https://api.github.com/user |
providers.generic-oauth.client-id |
<github client id> |
providers.generic-oauth.client-secret |
<github client secret> |
Note: as per Github's documentation, their /user endpoint only returns the user's email if it's publicly visible. As such, you will not be able to use the User Restriction features with the Github provider, unless all your users have their email addresses public.