mirror of https://github.com/go-gitea/gitea.git
Giteabot
GitHub
parent
db876d8f17
commit
327f2207dc
|
|
@ -567,6 +567,11 @@ ENABLED = true
|
|||
;; Alternative location to specify OAuth2 authentication secret. You cannot specify both this and JWT_SECRET, and must pick one
|
||||
;JWT_SECRET_URI = file:/etc/gitea/oauth2_jwt_secret
|
||||
;;
|
||||
;; The "issuer" claim identifies the principal that issued the JWT.
|
||||
;; Gitea 1.25 makes it default to "ROOT_URL without the last slash" to follow the standard.
|
||||
;; If you have old logins from before 1.25, you may want to set it to the old (non-standard) value "ROOT_URL with the last slash".
|
||||
;JWT_CLAIM_ISSUER =
|
||||
;;
|
||||
;; Lifetime of an OAuth2 access token in seconds
|
||||
;ACCESS_TOKEN_EXPIRATION_TIME = 3600
|
||||
;;
|
||||
|
|
|
|||
|
|
@ -96,6 +96,7 @@ var OAuth2 = struct {
|
|||
InvalidateRefreshTokens bool
|
||||
JWTSigningAlgorithm string `ini:"JWT_SIGNING_ALGORITHM"`
|
||||
JWTSigningPrivateKeyFile string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
|
||||
JWTClaimIssuer string `ini:"JWT_CLAIM_ISSUER"`
|
||||
MaxTokenLength int
|
||||
DefaultApplications []string
|
||||
}{
|
||||
|
|
|
|||
|
|
@ -112,8 +112,12 @@ func NewJwtRegisteredClaimsFromUser(clientID string, grantUserID int64, exp *jwt
|
|||
// to retrieve the configuration information. This MUST also be identical to the "iss" Claim value in ID Tokens issued from this Issuer.
|
||||
// * https://accounts.google.com/.well-known/openid-configuration
|
||||
// * https://github.com/login/oauth/.well-known/openid-configuration
|
||||
issuer := setting.OAuth2.JWTClaimIssuer
|
||||
if issuer == "" {
|
||||
issuer = strings.TrimSuffix(setting.AppURL, "/")
|
||||
}
|
||||
return jwt.RegisteredClaims{
|
||||
Issuer: strings.TrimSuffix(setting.AppURL, "/"),
|
||||
Issuer: issuer,
|
||||
Audience: []string{clientID},
|
||||
Subject: strconv.FormatInt(grantUserID, 10),
|
||||
ExpiresAt: exp,
|
||||
|
|
|
|||
|
|
@ -919,9 +919,10 @@ func TestOAuth_GrantScopesClaimAllGroups(t *testing.T) {
|
|||
}
|
||||
|
||||
func testOAuth2WellKnown(t *testing.T) {
|
||||
defer test.MockVariableValue(&setting.AppURL, "https://try.gitea.io/")()
|
||||
urlOpenidConfiguration := "/.well-known/openid-configuration"
|
||||
|
||||
defer test.MockVariableValue(&setting.AppURL, "https://try.gitea.io/")()
|
||||
t.Run("WellKnown", func(t *testing.T) {
|
||||
req := NewRequest(t, "GET", urlOpenidConfiguration)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
var respMap map[string]any
|
||||
|
|
@ -933,6 +934,17 @@ func testOAuth2WellKnown(t *testing.T) {
|
|||
assert.Equal(t, "https://try.gitea.io/login/oauth/userinfo", respMap["userinfo_endpoint"])
|
||||
assert.Equal(t, "https://try.gitea.io/login/oauth/introspect", respMap["introspection_endpoint"])
|
||||
assert.Equal(t, []any{"RS256"}, respMap["id_token_signing_alg_values_supported"])
|
||||
})
|
||||
|
||||
t.Run("WellKnownWithIssuer", func(t *testing.T) {
|
||||
defer test.MockVariableValue(&setting.OAuth2.JWTClaimIssuer, "https://try.gitea.io/")()
|
||||
req := NewRequest(t, "GET", urlOpenidConfiguration)
|
||||
resp := MakeRequest(t, req, http.StatusOK)
|
||||
var respMap map[string]any
|
||||
DecodeJSON(t, resp, &respMap)
|
||||
assert.Equal(t, "https://try.gitea.io/", respMap["issuer"]) // has trailing by JWTClaimIssuer
|
||||
assert.Equal(t, "https://try.gitea.io/login/oauth/authorize", respMap["authorization_endpoint"])
|
||||
})
|
||||
|
||||
defer test.MockVariableValue(&setting.OAuth2.Enabled, false)()
|
||||
MakeRequest(t, NewRequest(t, "GET", urlOpenidConfiguration), http.StatusNotFound)
|
||||
|
|
|
|||
Loading…
Reference in New Issue