OpenID Connect Authentication support#8032
Open
francescocaponio wants to merge 30 commits intogogs:mainfrom
Open
OpenID Connect Authentication support#8032francescocaponio wants to merge 30 commits intogogs:mainfrom
francescocaponio wants to merge 30 commits intogogs:mainfrom
Conversation
Co-authored-by: francescocaponio <[email protected]>
Co-authored-by: francescocaponio <[email protected]>
Co-authored-by: francescocaponio <[email protected]>
…alidation Co-authored-by: francescocaponio <[email protected]>
Co-authored-by: francescocaponio <[email protected]>
Co-authored-by: francescocaponio <[email protected]>
Co-authored-by: francescocaponio <[email protected]>
Co-authored-by: francescocaponio <[email protected]>
Co-authored-by: francescocaponio <[email protected]>
…-4c65-b083-8b2862842437 Implement OIDC (OpenID Connect) authentication support with OIDC-only login mode, group-based admin assignment, and customizable button styling
- Added DISABLE_WIKI and DISABLE_ISSUES configuration options in [repository] section - Updated RepositoryOpts struct in conf/static.go to include DisableWiki and DisableIssues fields - Modified CreateRepository to respect global settings when creating new repositories - Modified ForkRepository to respect global settings when forking repositories - Updated admin config template to display new settings - Added English locale strings for the new settings - Updated golden test to include new configuration options Co-authored-by: nuclearinstruments-devops <[email protected]>
- Updated repository settings route to prevent enabling wiki/issues when globally disabled - Modified settings template to disable checkboxes and show message when features are globally disabled - Added locale string for "disabled globally" message - Passed global configuration to template for UI display Co-authored-by: nuclearinstruments-devops <[email protected]>
…isabled - Modified ForkRepository to use baseRepo.EnableWiki && !conf.Repository.DisableWiki - Modified ForkRepository to use baseRepo.EnableIssues && !conf.Repository.DisableIssues - This preserves the base repository's settings when global disabling is not in effect Co-authored-by: nuclearinstruments-devops <[email protected]>
- Added DISABLE_REPO_CREATION configuration option to prevent repository creation - Added DISABLE_MIGRATION configuration option to prevent repository migration - Modified Create/CreatePost to check DISABLE_REPO_CREATION and return 404 if disabled - Modified Migrate/MigratePost to check DISABLE_MIGRATION and return 404 if disabled - Changed mirror checkbox default to checked in migration form - Removed private and unlisted visibility options from migration template - Updated admin config template to display new settings - Added English locale strings for new settings Co-authored-by: nuclearinstruments-devops <[email protected]>
- Modified Create API endpoint to check DISABLE_REPO_CREATION - Modified CreateOrgRepo API endpoint to check DISABLE_REPO_CREATION - Modified Migrate API endpoint to check DISABLE_MIGRATION - All endpoints return 403 Forbidden when features are globally disabled - Ensures consistency between web UI and API endpoints Co-authored-by: nuclearinstruments-devops <[email protected]>
- Added DisableRepoCreation, DisableMigration, and DisableIssuesGlobally to context data - Hide "Create Repository" menu item when DISABLE_REPO_CREATION is true - Hide "Migrate Repository" menu item when DISABLE_MIGRATION is true - Hide "Issues" link in repository navbar when DISABLE_ISSUES is globally true - Hide create repository button in user dashboard when globally disabled - All changes apply to both main navbar dropdown and dashboard Co-authored-by: nuclearinstruments-devops <[email protected]>
…al-setting-to-disable-wiki-issues Add global configuration to disable wiki, issues, repository creation, and migration
Co-authored-by: nuclearinstruments-devops <[email protected]>
… and size limit validation Co-authored-by: nuclearinstruments-devops <[email protected]>
…eader Co-authored-by: nuclearinstruments-devops <[email protected]>
…l-profile-image-import Add OIDC profile picture import as custom user avatar
|
@unknwon would you review this? OIDC based auth working correctly will allow me to get this deployed in my org. |
|
@francescocaponio Request you to do a rebase on the HEAD |
Member
|
@samveen - I do like OIDC, and have been working with it at my work for some years now. However, sending PRs for features like this, according to the contributing guide that has checked off, requires upfront technical design discussion before first line of code. I may or may not work based off this PR when I have bandwidth to revamp the overall underlying code infra for auth providers. If you org requires OIDC, Gogs supports HTTP auth which you could put "OIDC shim" in front of it, e.g., Caddy server with https://github.com/greenpau/caddy-security, they should in theory, work together. |
Contributor
|
@francescocaponio: Thank you for your work. I have applied the diffs to the latest stable version v0.14.1 on my fork at https://github.com/stroucki/gogs/tree/stroucki-oidc. In addition to your work I applied the changes DeepSource above was suggesting, and also added a RedirectURL field which was necessary. I am able to authenticate to M$ Entra (using adaptations to deal with M$ ignoring the standard and causing go-oidc to choke). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
About this PR
Tries to implement the request in #4602 and #7437
With the help of Copilot, we added the support for OIDC authentication.
The OIDC parameters are edited in the admin section, stored in the DB. It is possible to select if the OIDC authentication method is the only available or coexists with other authentication methods in the login form.
The oidc authentication backend is based on the go-oidc module.
It supports auto-discovery of the auth endpoints via the
.well-knownmechanism.The login button can be customized with a custom icon (loaded from a user specified url), background color and text color.
It supports the oidc groups claim and the user can specify the name of a group where users who belongs to this group are automatically elevated to admin roles in gogs.
Checklist
Test plan
I'm attaching some screenshots of the configuration and login forms:
Authentication sources list:
New/edit auth source form:
Login form (OIDC as default login source):
Login form (OIDC not as default login source):