Implement well known OpenID Configuration

[tommyknows]

Description

The PR #5378 initially implemented the OAuth2 provider. I love the idea to have gitea as my SSO provider :-)
However, it seems like the .well-known/... endpoints are missing. This is also stated in the PR, "will be implemented in another PR".
I'm trying to get ArgoCD to work (see this), and it seems like it tries to connect to https://<server>/ .well-known/openid-configuration, which does not exist and returns a 401.

I guess this goes into the same direction as #8534.

Would be cool if gitea had support for that as well!

Edit: More info on the endpoint can be found here

[lunny]

I think that's the part of OpenID provider standard but gitea doesn't implement.

[tommyknows]

Yes. Interestingly, there is a reference to this endpoint here:

gitea/options/locale/locale_en-US.ini

Line 1772 in 232340f

auths.tip.openid_connect = Use the OpenID Connect Discovery URL (<server>/.well-known/openid-configuration) to specify the endpoints

Sadly I don't think it is relevant at all 🙂

[lafriks]

I have started implementing it

[josipradic]

@lafriks Glad to see someone is working on it! Any news when we can except this feature to be merged? Thanks a lot!

[lafriks]

I'm planning to finish it for 1.12

[techknowlogick]

How would this work when Gitea is running in a subpath (ie, example.com/gitea/)? I'm thinking we could probably put in docs that it isn't supported for for subpath installations (because .well-known has to be served from root path)

[lafriks]

@techknowlogick that is not true, it is supported to have it also in subpath

[mnavarrocarter]

Hi there. I've been researching about OpenID Connect because I'm really interested in centralize auth credentials in gitea for our dev team.

I still don't fully undertand OIDC but correct me if I'm wrong. Would it be possible to implement my own ./well-known/openid-configuration if I write it and serve it statically from my http proxy before the request hits Gitea?

As far as I understand, that file is some sort of mapper of the available oauth endpoints and grant types, right?

[droplet-js]

any news update?

[pat-s]

AFAIC this works already?

[sikmir]

AFAIC this works already?

No, still missing userinfo endpoint.

[droplet-js]

any news update?