gitea icon indicating copy to clipboard operation
gitea copied to clipboard

Published 20 hours ago verified publisher icon go-gitea

OAUTH2_Client not reading userid claim

Open jasonvriends opened this issue 3 years ago • 6 comments
trafficstars

Gitea Version

1.14.2

Git Version

No response

Operating System

No response

How are you running Gitea?

I am trying to setup OAUTH2_Client with Azure AD.

The only available options in the app.ini for claims for a userid are: userid, nickname, and email.

sud is prefilled in Azure with something that can't be changed and it looks like Gitea will use that if populated before userid.

nickname is empty on Azure AD.

Are we able to update the config to select another claim for userid?

Database

No response

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Description

No response

Screenshots

No response

jasonvriends avatar Mar 09 '22 19:03 jasonvriends

Gitea Version 1.14.2

please update your version of Gitea. The version you are using is no longer supported.

Edit: Reading through this, I'm unsure what you are attempting to do, as 1. you can't configure app.ini on try.gitea.io or setup oauth client config, that requires elevated permissions which aren't provided. and 2. you can't configure oauth clients via app.ini

techknowlogick avatar Mar 09 '22 20:03 techknowlogick

Hello. The app.ini file has three options

;[oauth2_client] ;; The source of the username for new oauth2 accounts: ;; userid = use the userid / sub attribute ;; nickname = use the nickname attribute ;; email = use the username part of the email attribute ;USERNAME = nickname

When using Azure AD

  • nickname = Display Name, which has a space and not valuable
  • email = works, displays the first part of the email, but doesn't work for our case
  • userid = rather than read the userid claim which is the first part of a userprincipalname it sets the userid to the Azure AD user objectid.

Goal is to have the userid be the first part of our UPN.

jasonvriends avatar Mar 11 '22 18:03 jasonvriends

oh, my apologies. I was thinking you were attempting to create new auth with app.ini. I've re-opened this to keep track of it.

techknowlogick avatar Mar 11 '22 19:03 techknowlogick

This bug is over a year old, but I'm seeing this on Gitea 1.19.3 - a user that has never logged into Gitea before gets their AzureAD ObjectID as their Username and their "Authentication Sign-In Name".

jcollie avatar May 05 '23 16:05 jcollie

Setting USERNAME = email under [oauth2_client] in app.ini gets me a reasonable value for a user's username (oddcly it doesn't include @domain.name) but the Authentication Sign-In Name is still set to the AzureAD ObjectID. I can live with that for now.

jcollie avatar May 05 '23 18:05 jcollie

do we have any update on this ?

shyaminayesh avatar Aug 22 '24 11:08 shyaminayesh