gitea should fail gracefully when OIDC IDP has problems #8930
Comments
lunny
added
the
type/proposal
|
Maybe an option on Auth Source. |
|
This is an ongoing issue and surfaces in more than just certificate issues. I have a self-hosted instance of an OIDC provider (Keycloak) that occasionally fails for completely random reasons. Since it's behind a proxy, when it fails the proxy will return a plaintext "502 Bad Gateway" response, which Gitea happily tries to parse and brings itself down when it doesn't work. |
|
Yep, my personal keycloak failed and I have no time to fix it. So now I'm unable to use my gitea... |
|
I worked it around by creating a new instance of keycloak on the same URL and deleting it from the settings page. |
Instead of causing a log.Fatal, we should handle broken OAuth2 providers by disabling them. Fix go-gitea#8930 Signed-off-by: Andrew Thornton <art27@cantab.net>
Instead of causing a log.Fatal, we should handle broken OAuth2 providers by disabling them. Fix #8930 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Backport go-gitea#14802 Instead of causing a log.Fatal, we should handle broken OAuth2 providers by disabling them. Fix go-gitea#8930 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
|
I understand that this is a solution for some, but I can no longer re-enable keycloak. So in my case the cure is worse than the problem. Rebooting gitea in order to see if the connection does not help. |
|
@netcicd I don't understand. Why can't you re-enable keycloak? |
|
@zeripath thx for your rapid response. My monitor made the check-box invisible :) Can re-enable indeed this way (but this is hardly usable) |
First, thank you very much for developing gitea!
[x]):2019/11/12 07:36:17 ...uth/oauth2/oauth2.go:173:createProvider() [W] Failed to create OpenID Connect Provider with name '<...>' with url 'https://keycloak-management-infra.router.default.svc.cluster.local/auth/realms/<...>/.well-known/openid-configuration': Get https://keycloak-management-infra.router.default.svc.cluster.local/auth/realms/<...>/.well-known/openid-configuration: x509: certificate signed by unknown authority
2019/11/12 07:36:17 routers/init.go:92:GlobalInit() [F] Failed to initialize OAuth2 support: Get https://keycloak-management-infra.router.default.svc.cluster.local/auth/realms/<...>/.well-known/openid-configuration: x509: certificate signed by unknown authority
Description
When gitea has been configured against an OIDC IDP and when between restarts the IDP's endpoint stops being served with "proper/correct" certificates, gitea fails to start, running in a restart loop with a container built from the upstream Dockerfile.
Instead, I would like gitea to fail gracefully, disabling the IDP in question and allowing to login with other authentication sources (local admin comes to mind) to fix the problem "in app". I stumbled upon the issue when trying to "migrate" an instance over differently built experimental OpenShift clusters via the persistent volume. I "solved" the issue by deleting the corresponding row in "login_source" on the database.
The issue is minor, stems from operator weirdness in my case and is fixable. Abstracting from my specifics, however, I can imagine cases where a certificates' best-before-date may have been reached. I agree for various reasons that one should not trust such a certificate any more, especially for an IDP.
However, it would be nice to be able to fix such issues without reverting to fiddling with the database.
Thank you very much for your consideration! Cheers!
Screenshots
The text was updated successfully, but these errors were encountered: