Gitea as an OpenID-2.0 provider #1310
Comments
lunny
added
the
type/feature
This comment has been minimized.
This comment has been minimized.
|
It isn't necessary, but it makes it easier as you don't have to create a traditional account on every Gitea instance where you want to open a pull request (and you don't have or don't want to use a different OpenID provider). |
This comment has been minimized.
This comment has been minimized.
|
Albeit this thread is quiet for some time I want to add some points for the sake of the argument.
And instantly you have to maintain two systems instead of one. Because a project decided not to contribute to infrastructure it partly relies on. And maintaining more systems in a self-hosting setting means much more opportunity to miss important updates. Furthermore, at least for me, the condition of free, decentralised OpenID infrastructure seems to be quite bad. You can reuse the logins of your accounts at the usual tech giants, but only because someone hardcoded the support for them. I hardly know a service where you can use OpenID tokens from the provider of your choice. I also don't know providers of such tokens that could be used freely. All I know off is the possibility to integrate third-party-logins in your website for preselected third parties. Long story short: OpenID needs more providers, otherwise Giteas OpenID feature cannot be used in a decentralised way. Gitea should be such a provider to reduce required mainenance efforts in self-hosting settings.
It is only about OpenID, isn't it? For me, this seems to be much less than everything. |
|
Since Gitea now could be as OAuth2 provider, that's not too difficult. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions. |
lunny
added
the
issue/confirmed
|
I still think this is an important feature. Since Gitea does support |
|
If you put links to the specs in this issue anyone that's interested in building this functionality will have an easier time doing it. |
|
gitea now can act as openID provider - so close this issue? |
|
Which PR resolved this? |
|
OpenID is not OAuth2 For example, OAuth2 allows another service to access the Gitea API on your behalf, whereas OpenID would allow another service to treat your Gitea account as a valid account on their platform. EDIT: This StackOverflow question answers it better than I did. |
|
That would be great if Gitea can become OpenID Connect provider ! |
This is "minimal" in the sense that only the Authorization Code Flow from OpenID Connect Core is implemented. No discovery, no configuration endpoint, and no user scope management. OpenID Connect is an extension to the (already implemented) OAuth 2.0 protocol, and essentially an `id_token` JWT is added to the access token endpoint response when using the Authorization Code Flow. I also added support for the "nonce" field since it is required to be used in the id_token if the client decides to include it in its initial request. In order to enable this extension an OAuth 2.0 scope containing "openid" is needed. Other OAuth 2.0 requests should not be impacted by this change. This minimal implementation is enough to enable single sign-on (SSO) for other sites, e.g. by using something like `mod_auth_openidc` to only allow access to a CI server if a user has logged into Gitea. Fixes: go-gitea#1310
This is "minimal" in the sense that only the Authorization Code Flow from OpenID Connect Core is implemented. No discovery, no configuration endpoint, and no user scope management. OpenID Connect is an extension to the (already implemented) OAuth 2.0 protocol, and essentially an `id_token` JWT is added to the access token endpoint response when using the Authorization Code Flow. I also added support for the "nonce" field since it is required to be used in the id_token if the client decides to include it in its initial request. In order to enable this extension an OAuth 2.0 scope containing "openid" is needed. Other OAuth 2.0 requests should not be impacted by this change. This minimal implementation is enough to enable single sign-on (SSO) for other sites, e.g. by using something like `mod_auth_openidc` to only allow access to a CI server if a user has logged into Gitea. Fixes: #1310 Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
|
I think we want discovery for this ticket to be closed. Without discovery a Gitea instance could not be used as an identity provider for other Gitea instances. This ticket was about |
|
Why was this closed ? There's no discovery implemented. |
zeripath
added
topic/authentication
theme/federation
topic/federation
and removed
theme/federation
labels
|
But that's for oath, not OpenID-2.0, right ? |
|
hmm I thought it is for OpenID, to auto-discover things ... |
|
That is OpenID connect. OpenID 2 is something completely different :( |
Now that OpenID instances can be configured to accept an OpenID login, it could be nice if they ccould also serve as OpenID providers so to build what would become the authentication layer of a federation of code repositories. See also #184
The text was updated successfully, but these errors were encountered: