From 288c56f5d330b72defa9656994a4ba53cd2f19cb Mon Sep 17 00:00:00 2001 From: Gusted Date: Sun, 6 Jul 2025 07:19:23 +0200 Subject: [PATCH] feat: if OAuth2 is disabled return 'Not found' for openid configuration (#8426) - If a Forgejo has disabled being a OAuth2 provider via `[oauth2].ENABLED = false` then return 'Not found' when clients requests `.well-known/openid-configuration` to reflect that OAuth2 is not supported. - This allows clients to query if Forgejo has OAuth2 enabled. - Resolves forgejo/forgejo#6978 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8426 Reviewed-by: Earl Warren Co-authored-by: Gusted Co-committed-by: Gusted --- routers/web/auth/oauth.go | 5 +++++ tests/integration/oauth_test.go | 30 +++++++++++++++++++++--------- 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index e8e5d2c54b..f287e0e900 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -668,6 +668,11 @@ func GrantApplicationOAuth(ctx *context.Context) { // OIDCWellKnown generates JSON so OIDC clients know Gitea's capabilities func OIDCWellKnown(ctx *context.Context) { + if !setting.OAuth2.Enabled { + ctx.Status(http.StatusNotFound) + return + } + ctx.Data["SigningKey"] = oauth2.DefaultSigningKey ctx.Data["Issuer"] = strings.TrimSuffix(setting.AppURL, "/") ctx.JSONTemplate("user/auth/oidc_wellknown") diff --git a/tests/integration/oauth_test.go b/tests/integration/oauth_test.go index 2b44863ec2..188b0426da 100644 --- a/tests/integration/oauth_test.go +++ b/tests/integration/oauth_test.go @@ -632,17 +632,29 @@ func TestSignInOAuthCallbackPKCE(t *testing.T) { }) } -func TestWellKnownDocumentIssuerDoesNotEndWithASlash(t *testing.T) { +func TestWellKnownOpenIDConfiguration(t *testing.T) { defer tests.PrepareTestEnv(t)() - req := NewRequest(t, "GET", "/.well-known/openid-configuration") - resp := MakeRequest(t, req, http.StatusOK) - type response struct { - Issuer string `json:"issuer"` - } - parsed := new(response) - DecodeJSON(t, resp, parsed) - assert.Equal(t, strings.TrimSuffix(setting.AppURL, "/"), parsed.Issuer) + t.Run("Issuer does not end with a slash", func(t *testing.T) { + defer tests.PrintCurrentTest(t)() + + req := NewRequest(t, "GET", "/.well-known/openid-configuration") + resp := MakeRequest(t, req, http.StatusOK) + type response struct { + Issuer string `json:"issuer"` + } + parsed := new(response) + + DecodeJSON(t, resp, parsed) + assert.Equal(t, strings.TrimSuffix(setting.AppURL, "/"), parsed.Issuer) + }) + + t.Run("Not found if OAuth2 is not enabled", func(t *testing.T) { + defer tests.PrintCurrentTest(t)() + defer test.MockVariableValue(&setting.OAuth2.Enabled, false)() + + MakeRequest(t, NewRequest(t, "GET", "/.well-known/openid-configuration"), http.StatusNotFound) + }) } func TestSignInOAuthCallbackRedirectToEscaping(t *testing.T) {