Comments (6)
but case 1 and case 2 use the same provider="github"
case 1 can pass oauth
case 2 cannot
See my comment above: And oauth2-proxy has different behaviors when there is a prefix
(I don't know why)
from gitea.
Could you provide the detailed steps to reproduce? eg: docker compose files, config files, and operation steps.
from gitea.
Could you provide the detailed steps to reproduce? eg: docker compose files, config files, and operation steps.
attach file is my env: exclude gitea
my_host_ip: 10.168.104.100 change to your env
on: oauth2-base.cfg, oauth2-prefix.cfg
-
setup gitea, create user & oauth app for client_id, client_secret
app Redirect URIs.
https://10.168.104.100:3333/oauth2base/callback
https://10.168.104.100:3333/oauth2prefix/callback
docker-compose up -d
visit: https://10.168.104.100:3334/ to setup gitea
case 1: ROOT_URL: https://10.168.104.100:3334/
case 2: ROOT_URL: https://10.168.104.100:3333/gitea/ -
update oauth2-base.cfg, oauth2-prefix.cfg, client_id, client_secret
-
launch up
docker-compose down; docker-compose up -d
case 1: visit https://10.168.104.100:3333/base/
case 2: visit https://10.168.104.100:3333/prefix/
docker logs demo-gitea-1
can get the success and fail logs
from gitea.
Thank you for the details. I think I could reproduce it now. And I guess the problem is that Gitea isn't GitHub (in the oauth2 config: provider="github"
)
And oauth2-proxy
has different behaviors when there is a prefix, it sends more request as below. If we could mock the responses on nginx side, then there won't be 500 error (but 403 no permission, because oauth2-proxy couldn't collect enough information in this case).
(Gitea doesn't support these GitHub API)
location /gitea/api/v1/user/emails/user/orgs {
return 200 '[]';
}
location /gitea/api/v1/user/emails/user/teams {
return 200 '[]';
}
location /gitea/api/v1/user/emails/user/emails {
return 200 '[]';
}
location /gitea/api/v1/user/emails/user {
return 200 '{}';
}
Screenshot of the new 403:
from gitea.
but case 1 and case 2 use the same provider="github"
case 1 can pass oauth
case 2 cannot
the different point is
case 1 location on /
case 2 location on /gitea/
if gitea lost user info both of case 1,2 cannot pass
now i switch to provider to odic
add config to nginx.conf
proxy_buffers 4 64k;
proxy_buffer_size 32k;
proxy_busy_buffers_size 128k;
case 1: provider
provider="oidc"
provider_display_name="gitea oidc oauth"
oidc_issuer_url="https://10.168.104.100:3334/"
pass oauth to web
2024/04/25 07:33:03 ...s/graceful/server.go:70:NewServer() [I] Starting new Web server: tcp:0.0.0.0:3000 on PID: 15
2024/04/25 07:33:03 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 9.3ms @ auth/oauth.go:580(auth.OIDCWellKnown)
2024/04/25 07:33:03 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 0.4ms @ auth/oauth.go:580(auth.OIDCWellKnown)
2024/04/25 07:33:04 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 0.4ms @ auth/oauth.go:580(auth.OIDCWellKnown)
2024/04/25 07:33:05 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 0.4ms @ auth/oauth.go:580(auth.OIDCWellKnown)
2024/04/25 07:33:07 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 0.3ms @ auth/oauth.go:580(auth.OIDCWellKnown)
2024/04/25 07:33:11 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 0.5ms @ auth/oauth.go:580(auth.OIDCWellKnown)
2024/04/25 07:33:18 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 0.5ms @ auth/oauth.go:580(auth.OIDCWellKnown)
2024/04/25 07:33:21 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/authorize?approval_prompt=force&client_id=5d596f44-e6c8-42b6-9909-acb799f3455a&code_challenge=uW6OcF-KQLguwZZJAuX1BFC_emdCYZAyDfCuC3gGiwE&code_challenge_method=S256&redirect_uri=https%3A%2F%2F10.168.104.100%3A3333%2Foauth2base%2Fcallback&response_type=code&scope=openid+email+profile+groups&state=MvsH5bi-mcLLzW3wYm1BBnQIjKF0b9G-zEIEejvdpxE%3A%2Fbase%2F for 192.168.188.23:0, 303 See Other in 0.3ms @ web/web.go:139(web.registerRoutes.verifyAuthWithOptions)
2024/04/25 07:33:21 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/login for 192.168.188.23:0, 200 OK in 12.0ms @ auth/auth.go:146(auth.SignIn)
2024/04/25 07:33:25 ...eb/routing/logger.go:102:func1() [I] router: completed POST /user/login for 192.168.188.23:0, 303 See Other in 117.4ms @ auth/auth.go:179(auth.SignInPost)
2024/04/25 07:33:25 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/authorize?approval_prompt=force&client_id=5d596f44-e6c8-42b6-9909-acb799f3455a&code_challenge=uW6OcF-KQLguwZZJAuX1BFC_emdCYZAyDfCuC3gGiwE&code_challenge_method=S256&redirect_uri=https%3A%2F%2F10.168.104.100%3A3333%2Foauth2base%2Fcallback&response_type=code&scope=openid+email+profile+groups&state=MvsH5bi-mcLLzW3wYm1BBnQIjKF0b9G-zEIEejvdpxE%3A%2Fbase%2F for 192.168.188.23:0, 303 See Other in 4.4ms @ auth/oauth.go:362(auth.AuthorizeOAuth)
2024/04/25 07:33:25 ...eb/routing/logger.go:102:func1() [I] router: completed POST /login/oauth/access_token for 10.17.93.1:0, 200 OK in 155.9ms @ auth/oauth.go:618(auth.AccessTokenOAuth)
2024/04/25 07:33:25 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/keys for 10.17.93.1:0, 200 OK in 0.3ms @ auth/oauth.go:594(auth.OIDCKeys)
2024/04/25 07:33:25 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/userinfo for 10.17.93.1:0, 200 OK in 4.2ms @ auth/oauth.go:279(auth.InfoOAuth)
2024/04/25 07:33:31 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 0.8ms @ auth/oauth.go:580(auth.OIDCWellKnown)
from gitea.
case 2: location /gitea/
- update oauth2-proxy config
provider="oidc"
provider_display_name="gitea oidc prefix oauth"
oidc_issuer_url="https://10.168.104.100:3333/gitea/"
whitelist_domains=["10.168.104.100:3333"]
skip_auth_strip_headers="false"
- update nginx.conf
proxy_buffers 4 64k;
proxy_buffer_size 32k;
proxy_busy_buffers_size 128k;
oauth oidc provider worked
but even i use this config and change to provider="github"
it cannot pass, maybe Authorization header disappear somewhere
2024/04/25 09:02:22 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/user/emails/user/orgs?page=1&per_page=100 for 10.17.119.1:0, 404 Not Found in 4.2ms @ v1/api.go:732(v1.Routes.verifyAuthWithOptions)
from gitea.
Related Issues (20)
- Updating the GitHub auth_token in the repo's Mirror Settings using the API HOT 1
- CSRF validation errors when OAuth is not enabled HOT 2
- Add MSSQL Secure Database Connection Support
- collaborators API endpoint does not list team members in a repo owned by an organization
- Automatically update Gitea Actions in every repo
- docker-compose.yaml HOT 1
- Incorrect migration protocol from Gitlab HOT 2
- repo directory path styles HOT 1
- Generalizing the functionality for adding members in the members tab for organizations. HOT 1
- Option To Sign Web Interface Commits As Author And Not As System
- Show WebAuthn last usage
- Weird HTTP code when invalid tag name is provided
- Tag name rules
- Sort tags by commit date
- Add `refs/pull/1/merge` reference for pull request to avoid the merged commit id missed.
- Debian Package Registry: duplicate key value violates unique constraint "UQE_package_version_s" HOT 1
- SIGSEGV when pushing sha256 repository HOT 8
- home page title overflow HOT 2
- Gogs migration tool HOT 3
- Revise server side hook configuration to support dynamic hook file extensions. HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gitea.