Account linking after adding OpenID Connect does not work

[ln-12]

Description

I am trying to add authelia as an OpenID provider by following the instructions here. It seems like everything is working fine except the account linking part. I already have an administrator account setup locally and want to access the same account via authelia. The name and email are identical in Gitea and authelia.

On the login page, I click on "Sign in with authelia":

I am then redirected to my authelia instance where I can log into my account. After granting access, I am redirected to Gitea where I am greeted with the following screen (I cannot use the option "Register New Account" as I already have an account setup with the same name and email):

I would expect a login form to show here instead of the blank area under the heading. Using the passkey option, I can login but it seems like the account is still not connected. When logging out and in again (with authelia) I am again redirected to this linking screen although I would expect the process to only be needed once.

Here is my config (note that I of cource replaced my-domain.com and the client secret with the correct values in my actual config):

app.ini

[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = true
WHITELISTED_URIS     = auth.my-domain.com

[oauth2_client]
REGISTER_EMAIL_CONFIRM = true
OPENID_CONNECT_SCOPES = openid email profile
USERNAME = email
ACCOUNT_LINKING = auto
ENABLE_AUTO_REGISTRATION = false

From the log, I can see the following related entries:

gitea     | 2025/01/19 16:36:40 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/authelia for A.X.Y.Z:0, 307 Temporary Redirect in 5.5ms @ auth/oauth.go:36(auth.SignInOAuth)
gitea     | 2025/01/19 16:36:41 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/oauth2/authelia/callback?code=SOME_CODE&iss=https%3A%2F%2Fauth.my-domain.com&scope=openid+email+profile&state=SOME_STATE for A.X.Y.Z:0, 303 See Other in 362.1ms @ auth/oauth.go:75(auth.SignInOAuthCallback)
gitea     | 2025/01/19 16:36:42 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/link_account for A.X.Y.Z:0, 200 OK in 3.0ms @ auth/linkaccount.go:31(auth.LinkAccount)

gitea     | 2025/01/19 16:45:42 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/link_account for A.X.Y.Z:0, 303 See Other in 3.1ms @ web/web.go:138(web.registerRoutes.verifyAuthWithOptions)
gitea     | 2025/01/19 16:45:42 ...eb/routing/logger.go:102:func1() [I] router: completed GET / for A.X.Y.Z:0, 200 OK in 33.4ms @ web/home.go:32(web.Home)

Gitea Version

1.23.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

compose.yml:

services:
  gitea:
    image: docker.io/gitea/gitea:1.23.1
    container_name: gitea
    environment:
      - APP_NAME="Gitea"
      - USER_UID=1000
      - USER_GID=1000
      - USER=git
      - RUN_MODE=prod
      - DOMAIN=gitea.my-domain.com
      - SSH_DOMAIN=gitea.my-domain.com
      - HTTP_PORT=3000
      - ROOT_URL=https://gitea.my-domain.com
      - SSH_PORT=2222
      - SSH_LISTEN_PORT=22
      - DB_TYPE=sqlite3
    restart: unless-stopped
    volumes:
      - ./data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - 2222:22
    labels:
      - traefik.enable=true
      - traefik.http.routers.gitea.entrypoints=https
      - traefik.http.routers.gitea.rule=Host(`gitea.my-domain.com`)
      - traefik.http.services.gitea.loadbalancer.server.port=3000

  runner:
    image: gitea/act_runner:0.2.11
    restart: unless-stopped
    depends_on:
      - gitea
    volumes:
      - ./data/act_runner:/data
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - GITEA_INSTANCE_URL=https://gitea.my-domain.com
      - GITEA_RUNNER_REGISTRATION_TOKEN=XYZ
      - GITHUB_COM_TOKEN=XYZ

Database

SQLite

[wxiaoguang]

It has been fixed in 1.23-nightly (which will be 1.23.2 soon): Fix Account linking page (#33325) #33327

• https://dl.gitea.com/gitea/1.23-nightly/
• https://hub.docker.com/r/gitea/gitea/tags?name=1.23-nightly

[wxiaoguang]

Have you tried 1.23-nightly? It is a stable branch and contains many bug fixes.

If it has been fixed, I think this issue could be closed?

[ln-12]

Sorry, I didn't have the time yet. I'll let you know as soon as possible!

[JimKlapwijk]

Hi @wxiaoguang, I ran into the same issue with Authentik, and tried the 1.23-nightly, and it is fixed.

Can you confirm it is correct that it says I need to link my account? Does this happen under an authorized session by ?

[wxiaoguang]

Can you confirm it is correct that it says I need to link my account? Does this happen under an authorized session by ?

Yes, I think it is right. Actually it is the correct behavior in 1.22 and old releases, 1.23.0 has a regression that the login form can't display correctly and it has been fixed in 1.23-nightly (and will be 1.23.2 soon)

[ln-12]

I can confirm that both the login form and the account linking work fine in version 1.23-nightly. Thank you for the fast help!