Description
Feature Description
I have the following use case: I have an authorization server running next to my Gitea instance. Gitea is not supposed to do anything related to authentication or authorization other than using session cookies or verifying tokens, i.e. through a public key from said authorization server.
Using the Web UI, this already (kind of) achieved. It is not perfect, as roles (admin role) and group memberships are still managed by Gitea. But I can live with that as long as Gitea does not work with passwords, OTPs, security keys or anything else related to authentication.
However, when using the Rest API or the container registry, things look different. I have to create an API token to get access. This in itself would be fine for me too --- although not perfect --- if there was a way to generate this token without Web UI and without sending password or TOTP.
The example in the docs (https://docs.gitea.io/en-us/api-usage/#generating-and-listing-api-tokens) suggest to either send password/TOTP via curl or use the Web UI. I think this is not enough in the long term.
I know that #13532 has been closed, but I feel the underlying issue is valid: Gitea should be functional without its own authentication capabilities, which should be optional.
It's great that Gitea provides its own, modern authentication features if no dedicated authorization server is used. However, in the long term it would be even greater if Gitea would integrate seamlessly in more complex, sophisticated security architectures.
Screenshots
No response