Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gitea prepends requested openid scope with + after updating authentication source #18972

Closed
ftsell opened this issue Mar 2, 2022 · 1 comment · Fixed by #19029
Closed

Gitea prepends requested openid scope with + after updating authentication source #18972

ftsell opened this issue Mar 2, 2022 · 1 comment · Fixed by #19029
Milestone
1.16.5

Comments

@ftsell
Copy link

ftsell commented Mar 2, 2022
edited
Loading

Gitea Version

1.16.2

Git Version

2.30.2

Operating System

Linux

How are you running Gitea?

I'm running the official docker image docker.io/gitea/gitea:1.16.2 on a Kubernetes cluster. I currently use my own manifests and not the one provided by helm.

Database

PostgreSQL

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/ftsell/831eadfeefa162eb1707152fda870a47

Description

I have recently changed the Icon URL of my Oauth2 -> OpenID Connect Authentication Source in Gitea. Immediately afterwards, while validating that the icon works, I noticed that the authentication no longer functions correctly.

After debugging the problem I found that gitea redirects my user agent to a URL in the pattern https://keycloak.…/openid-connect?client_id=gitea&redirect_uri=…&response_type=code&scope=+openid&state=…. If you look closely, you can see an additional (encoded) + character before the requested scope.
My OpenID Connect server does not accept this and redirects back to https://git.…/user/oauth2/Keycloak/callback?error=invalid_scope&error_description=Invalid+scopes%3A++openid&state=….

I also tried to create a new separate authentication source but that one suffers from the same problem.

FYI: I am using Keycloak as an OpenID Connect provider. The log files given in the gist include the relevant part of Kekloak's logs as well as Gitea logs in trace mode.

Screenshots

Gitea just shows a generic 500 page; I don't think that's relevant here.
@wxiaoguang
Copy link
Contributor

wxiaoguang commented Mar 2, 2022
edited
Loading

I haven't read the source carefully, just a guess, maybe the problem is caused by #16766

There is new code Scopes: strings.Split(form.Oauth2Scopes, ",") , https://github.com/go-gitea/gitea/pull/16766/files#diff-1e3c0feb405a68b743288ec4d64ced3a46147dbfc2416b50363232a9f9b5e3d7R191

If the Oauth2Scopes is empty, then we get a slice []string{""}, then it might be appended with other scopes and get []string{"", "openid"}, then it will be joined by a space to send to remote scope=" openid", then the space will be escaped as +, that might be how scope=+openid comes ....

@wxiaoguang wxiaoguang added this to the 1.16.4 milestone Mar 4, 2022
@wxiaoguang wxiaoguang mentioned this issue Mar 8, 2022
Merged
@zeripath zeripath mentioned this issue Mar 19, 2022
Merged
wxiaoguang pushed a commit that referenced this issue Mar 20, 2022
@zeripath
Fix wrong scopes caused by empty scope input (#19029) (#19145)
a3f3e31 
Backport #19029
Fix #18972 Gitea prepends requested openid scope with + after updating authentication source
@zeripath zeripath modified the milestones: 1.16.4, 1.16.5 Mar 23, 2022
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.16.5
Development

Successfully merging a pull request may close this issue.

Fix wrong scopes caused by empty scope input wxiaoguang/gitea
3 participants
@zeripath @wxiaoguang @ftsell