feat: if OAuth2 is disabled return 'Not found' for openid configuration (#8426)

- If a Forgejo has disabled being a OAuth2 provider via `[oauth2].ENABLED = false` then return 'Not found' when clients requests `.well-known/openid-configuration` to reflect that OAuth2 is not supported. - This allows clients to query if Forgejo has OAuth2 enabled. - Resolves forgejo/forgejo#6978 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8426 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz>
2025-07-07 09:55:41 +02:00 · 2025-07-06 07:19:23 +02:00 · 2025-07-06 07:19:23 +02:00 · 288c56f5d3
commit 288c56f5d3
parent 74981d9e97
2 changed files with 26 additions and 9 deletions
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@ -668,6 +668,11 @@ func GrantApplicationOAuth(ctx *context.Context) {

 // OIDCWellKnown generates JSON so OIDC clients know Gitea's capabilities
 func OIDCWellKnown(ctx *context.Context) {
+	if !setting.OAuth2.Enabled {
+		ctx.Status(http.StatusNotFound)
+		return
+	}
+
 	ctx.Data["SigningKey"] = oauth2.DefaultSigningKey
 	ctx.Data["Issuer"] = strings.TrimSuffix(setting.AppURL, "/")
 	ctx.JSONTemplate("user/auth/oidc_wellknown")
--- a/tests/integration/oauth_test.go
+++ b/tests/integration/oauth_test.go
@ -632,17 +632,29 @@ func TestSignInOAuthCallbackPKCE(t *testing.T) {
 	})
 }

-func TestWellKnownDocumentIssuerDoesNotEndWithASlash(t *testing.T) {
+func TestWellKnownOpenIDConfiguration(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
-	req := NewRequest(t, "GET", "/.well-known/openid-configuration")
-	resp := MakeRequest(t, req, http.StatusOK)
-	type response struct {
-		Issuer string `json:"issuer"`
-	}
-	parsed := new(response)

-	DecodeJSON(t, resp, parsed)
-	assert.Equal(t, strings.TrimSuffix(setting.AppURL, "/"), parsed.Issuer)
+	t.Run("Issuer does not end with a slash", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+
+		req := NewRequest(t, "GET", "/.well-known/openid-configuration")
+		resp := MakeRequest(t, req, http.StatusOK)
+		type response struct {
+			Issuer string `json:"issuer"`
+		}
+		parsed := new(response)
+
+		DecodeJSON(t, resp, parsed)
+		assert.Equal(t, strings.TrimSuffix(setting.AppURL, "/"), parsed.Issuer)
+	})
+
+	t.Run("Not found if OAuth2 is not enabled", func(t *testing.T) {
+		defer tests.PrintCurrentTest(t)()
+		defer test.MockVariableValue(&setting.OAuth2.Enabled, false)()
+
+		MakeRequest(t, NewRequest(t, "GET", "/.well-known/openid-configuration"), http.StatusNotFound)
+	})
 }

 func TestSignInOAuthCallbackRedirectToEscaping(t *testing.T) {