Gitea does not implement proper OIDC

[Reinitialized]

• Gitea version (or commit ref): 1.15.0

Description

Based on what I've recently learned about OIDC, I do not believe Gitea implements this protocol correctly, specifically when it comes to linking an non-existent Gitea user. Gitea allows the end user to change a variety of identity related options, violating the intent of SSO, such as:

• Upon registration of a Gitea account, allowing the end user to change their username and email
• Within Account Settings, allowing the user to change their email and password
• Allowing end users to log in locally instead of through the OIDC provider

Gitea is an amazing product which I enjoy using, but as I grow my infrastructure and eventually business/community, the ability to manage these settings in a centralized system without having to implement workarounds such as LDAP is a crucial component to using this product. I hope this can be addressed within a timely manner.

Screenshots

Example of being able to change password/email on "non-local" account

[sanderfoobar]

Upon registration of a Gitea account, allowing the end user to change their username and email

Set this to true and it will auto register after redirecting from OIDC provider

[oauth2_client]
ENABLE_AUTO_REGISTRATION = true

Allowing end users to log in locally instead of through the OIDC provider

Set this to false if you only want to allow users from the OIDC provider

[service]
DISABLE_REGISTRATION              = false

Within Account Settings, allowing the user to change their email and password

Yep, this is weird.

Note that there is a login_name column in the Gitea database, user table. This is the sub claim from your OIDC provider, so at least you still that unique user id that you may use to fix any email synchronization issues manually if need be.

[zeripath]

Disabling the changing of username has another issue request.

[Reinitialized]

Set this to true and it will auto register after redirecting from OIDC provider

Don't know how I missed this, but it solves one of the problems. Thanks!

Disabling the changing of username has another issue request.

Looking into account settings, I don't see an option to change username, and with the above change Usernames are no longer an issue it seems. Email and passwords are still a problem, however. I know for LDAP passwords cannot be changed, but emails still can.

[fuomag9]

Set this to true and it will auto register after redirecting from OIDC provider

Don't know how I missed this, but it solves one of the problems. Thanks!

Disabling the changing of username has another issue request.

Looking into account settings, I don't see an option to change username, and with the above change Usernames are no longer an issue it seems. Email and passwords are still a problem, however. I know for LDAP passwords cannot be changed, but emails still can.

the ENABLE_AUTO_REGISTRATION variable was missing from the default config as of today! I'd not have found it if it weren't for this issue

[lunny]

It's in the documentation and the example ini file. The default config is a minimum configuration file.

[kdumontnu]

I believe these issues are now all closed with #31535 and also superseded by this tracking issue #23794

OIDC was not necessarily implemented incorrectly, but it was configured as an "external auth provider" (eg. an alternative login) instead of Single Sign-On (SSO) / Single Identity Provider. These options should now be supported in config settings.

[Reinitialized]

Sweet! Love seeing how far Gitea has come since I've opened the few issues I have. Thanks for everything you guys do!