From 15eb70012bac6fb38a68ce217674e45ed7ec5e65 Mon Sep 17 00:00:00 2001 From: Johnny Oskarsson Date: Fri, 1 Jan 2021 17:33:27 +0100 Subject: [PATCH] Minimal OpenID Connect implementation (#14139) This is "minimal" in the sense that only the Authorization Code Flow from OpenID Connect Core is implemented. No discovery, no configuration endpoint, and no user scope management. OpenID Connect is an extension to the (already implemented) OAuth 2.0 protocol, and essentially an `id_token` JWT is added to the access token endpoint response when using the Authorization Code Flow. I also added support for the "nonce" field since it is required to be used in the id_token if the client decides to include it in its initial request. In order to enable this extension an OAuth 2.0 scope containing "openid" is needed. Other OAuth 2.0 requests should not be impacted by this change. This minimal implementation is enough to enable single sign-on (SSO) for other sites, e.g. by using something like `mod_auth_openidc` to only allow access to a CI server if a user has logged into Gitea. Fixes: #1310 Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lunny Xiao Co-authored-by: zeripath --- doc/developers/oauth2-provider.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/developers/oauth2-provider.md b/doc/developers/oauth2-provider.md index ad2ff78e..29305a24 100644 --- a/doc/developers/oauth2-provider.md +++ b/doc/developers/oauth2-provider.md @@ -30,7 +30,9 @@ Gitea supports acting as an OAuth2 provider to allow third party applications to ## Supported OAuth2 Grants -At the moment Gitea only supports the [**Authorization Code Grant**](https://tools.ietf.org/html/rfc6749#section-1.3.1) standard with additional support of the [Proof Key for Code Exchange (PKCE)](https://tools.ietf.org/html/rfc7636) extension. +At the moment Gitea only supports the [**Authorization Code Grant**](https://tools.ietf.org/html/rfc6749#section-1.3.1) standard with additional support of the following extensions: +- [Proof Key for Code Exchange (PKCE)](https://tools.ietf.org/html/rfc7636) +- [OpenID Connect (OIDC)](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) To use the Authorization Code Grant as a third party application it is required to register a new application via the "Settings" (`/user/settings/applications`) section of the settings.