-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth2 - Additional Scopes Not Recognized For Required Claim Name/Value #31612
Comments
After testing further, I have determined that setting the required claim name to |
I did some further testing. By default, Gitea will request the identify and email scopes. Setting Required Claim Name to any claim name expected within these scopes will work without issue. Going further and adding a Required Claim Value will again work as expected, limiting login to those with matching claims. It's clear that adding guilds to the Additional Scopes (shown in original post) works because the Discord access request page will show that the application is requesting to see what servers the user is in, and removing guilds from Additional Scopes will make this disappear. We can reliably test whether the guilds scope is working so long as we only use the identify, email, and guilds scopes. This is because the guilds scope has a few unique claims, notably |
Related to #32573 |
did you try to set |
i think this is the flow when gitea allows discord's user to login into gitea. and the attempt is to reduce the logins to the users with the membership of specific guild. #32573 is the other way around when third party relies on gitea for the check if user could login or not. it's very confusing because the vocabulary is the same. i'm very interested if i got this wrong and if this is related to #32573 so i have to change something there ;) |
Description
Configuring the Discord OAuth2 authentication provider works without issues until you try to restrict login with additional scopes.
Here is a basic configuration of the Discord provider:
Client ID:
<your app id>
Client Secret:
<your app secret>
Additional Scopes:
guilds
Using this configuration, users are able to login/register via Discord without issues. Now lets try to restrict login to server membership. Looking at the Discord API docs, we see that the guilds scope will provide an id claim with the value being the server's ID. With this, we should be able to specify the necessary values.
Client ID:
<your app id>
Client Secret:
<your app secret>
Additional Scopes:
guilds
Required Claim Name:
id
Required Claim Value:
<server id>
This will fail, resulting in the "Sign In Prohibited - Your account is prohibited from signing in, please contact your site administrator." Various alternate configurations of these values have been tried and none of them work. Because these values nor the countless I've tried have worked, I am opening this issue because either I am incorrectly configuring these settings or Gitea is not parsing the API response properly.
One thing of note is that the description for the Required Claim Value reads, "Set this value to restrict login from this source to users with a claim with this name and value." I cannot tell whether this description is purposefully worded this way, as I would assume this doesn't make sense when I can specify a required claim name separately. Regardless, trying to enter the entire claim or just the value here does not work either.
Quick Note on Logs
Logs were copied after a fresh start of the docker container and then attempting to sign in with Discord with the required claim fields filled out. Since users are able to sign in when these fields are empty, I assume those logs are irrelevant.
Gitea Version
1.22.1
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
https://gist.github.com/MAXimized490/c61f693111bc764389ca449cf3c5c6fb
Screenshots
Again, just a reminder that registration/login will work when the required claim fields are left blank.
Git Version
2.45.2
Operating System
Docker on Ubuntu Server 22.04
How are you running Gitea?
Using the official docker image via docker-compose on Portainer. Below is my compose file.
Database
MySQL/MariaDB
The text was updated successfully, but these errors were encountered: