misc-mirrors/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-07-07 09:55:41 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

feat: if OAuth2 is disabled return 'Not found' for openid configuration (#8426)

Browse source 
- If a Forgejo has disabled being a OAuth2 provider via `[oauth2].ENABLED = false` then return 'Not found' when clients requests `.well-known/openid-configuration` to reflect that OAuth2 is not supported.
- This allows clients to query if Forgejo has OAuth2 enabled.
- Resolves forgejo/forgejo#6978

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8426
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
This commit is contained in:
Gusted 2025-07-06 07:19:23 +02:00 committed by Earl Warren
parent 74981d9e97
commit 288c56f5d3
2 changed files with 26 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

5
routers/web/auth/oauth.go
View file

@ -668,6 +668,11 @@ func GrantApplicationOAuth(ctx *context.Context) {
// OIDCWellKnown generates JSON so OIDC clients know Gitea's capabilities // OIDCWellKnown generates JSON so OIDC clients know Gitea's capabilities
func OIDCWellKnown(ctx *context.Context) { func OIDCWellKnown(ctx *context.Context) {
if !setting.OAuth2.Enabled {
ctx.Status(http.StatusNotFound)
return
}
ctx.Data["SigningKey"] = oauth2.DefaultSigningKey ctx.Data["SigningKey"] = oauth2.DefaultSigningKey
ctx.Data["Issuer"] = strings.TrimSuffix(setting.AppURL, "/") ctx.Data["Issuer"] = strings.TrimSuffix(setting.AppURL, "/")
ctx.JSONTemplate("user/auth/oidc_wellknown") ctx.JSONTemplate("user/auth/oidc_wellknown")

30
tests/integration/oauth_test.go
View file

@ -632,17 +632,29 @@ func TestSignInOAuthCallbackPKCE(t *testing.T) {
}) })
} }
func TestWellKnownDocumentIssuerDoesNotEndWithASlash(t *testing.T) { func TestWellKnownOpenIDConfiguration(t *testing.T) {
defer tests.PrepareTestEnv(t)() defer tests.PrepareTestEnv(t)()
req := NewRequest(t, "GET", "/.well-known/openid-configuration")
resp := MakeRequest(t, req, http.StatusOK)
type response struct {
Issuer string `json:"issuer"`
}
parsed := new(response)
DecodeJSON(t, resp, parsed) t.Run("Issuer does not end with a slash", func(t *testing.T) {
assert.Equal(t, strings.TrimSuffix(setting.AppURL, "/"), parsed.Issuer) defer tests.PrintCurrentTest(t)()
req := NewRequest(t, "GET", "/.well-known/openid-configuration")
resp := MakeRequest(t, req, http.StatusOK)
type response struct {
Issuer string `json:"issuer"`
}
parsed := new(response)
DecodeJSON(t, resp, parsed)
assert.Equal(t, strings.TrimSuffix(setting.AppURL, "/"), parsed.Issuer)
})
t.Run("Not found if OAuth2 is not enabled", func(t *testing.T) {
defer tests.PrintCurrentTest(t)()
defer test.MockVariableValue(&setting.OAuth2.Enabled, false)()
MakeRequest(t, NewRequest(t, "GET", "/.well-known/openid-configuration"), http.StatusNotFound)
})
} }
func TestSignInOAuthCallbackRedirectToEscaping(t *testing.T) { func TestSignInOAuthCallbackRedirectToEscaping(t *testing.T) {