Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add custom OAuth option #16555

Closed
MomentQYC opened this issue Jul 27, 2021 · 3 comments
Closed

Add custom OAuth option #16555

MomentQYC opened this issue Jul 27, 2021 · 3 comments

Comments

@MomentQYC
Copy link
Contributor

Add custom OAuth option.

@zeripath
Copy link
Contributor

You're going to have to explain this a bit more clearly.

@MomentQYC
Copy link
Contributor Author

At present, the third-party OAuth options of Gitea are very limited. It is recommended to add a custom OAuth configuration to theoretically enable any OAuth server to access Gitea, so as to increase Gitea selectivity.

@zeripath
Copy link
Contributor

We have the OpenIDConnect provider which can be used if the provider obeys the spec expected by that provider. However, for example, Azure AD doesn't appear to work correctly for that. It may be possible to improve/change the OpenIDConnect implementation to fix some of the issues but one of the following things would have to happen:

  • The administrator/user having the issue would have to work it out themselves through working out where to add all the necessary debug logging and tracing the replies from the OpenIDConnect server in question.
  • The administrator/user having the issue would have to provide one of the Gitea developers with all the information necessary to figure out what the issue is. This case would likely require issue reporters to directly contact one of the maintainers on discord regarding the issue, give them the openidconnect information to allow them to reproduce the issue for the maintainer to debug it directly themselves - and likely for the reporter to pay said developer some money for spending their time doing so.

With all that being said I am still concerned that going a purely generic OpenIDConnect route may not be possible, the underlying library we use:

https://github.com/markbates/goth/tree/master/providers

has specific provider implementations for individual providers - implying that there are sufficient differences and behavioural changes that simply providing a Generic provider is not going to work well in all cases. This means that we need to integrate each of the providers above individually - however, this library does not provide a common interface or control mechanism for adding these meaning each provider needs to be added specifically.

Further the current methods in Gitea for adding these are not great.

My latest PR #16544 changes the way in which we add providers to Gitea to make integrating others from the above library a bit easier - (the mechanism in #16544 is still not quite right and further improvements are required). However adding providers will still require code changes due to the underlying heterogeneity in the library.


So in summary:

  • There is a generic OpenIDConnect provider already.
  • When it doesn't work users aren't giving us the necessary information to help debug things - that's probably because our implementation doesn't give users enough information but to improve that situation someone is going to have debug it themselves or give us specific access to a not working OpenIDConnect.
  • I suspect that OpenIDConnect isn't ever going to work for most providers because despite there being a standard it appears that there is too much heterogeneity.
  • This underlying heterogeneity is also expressed even at the library level meaning adding new providers is actually more involved than just "configuration".

@go-gitea go-gitea locked and limited conversation to collaborators Oct 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants