github/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-04-30 14:28:29 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
aba87285f020e9982d7a207c7093fd95ed2d1b85
gitea/services/auth/source/oauth2/source.go
Zettat123 b1bfca39f1 Add ExternalIDClaim option for OAuth2 OIDC auth source (#37229) 
This PR adds an External ID Claim Name configuration field to the OIDC
auth source. When set, Gitea uses the specified JWT claim as the user's
`ExternalID` instead of the default `sub` claim.

This PR fixes the bug when migrating from Azure AD V2 to OIDC. When an
admin migrates the same auth source to OIDC, goth's `openidConnect`
provider defaults to using the `sub` claim as `UserID`. However, Azure
AD's `sub` is a pairwise identifier:

> `sub`: The subject is a pairwise identifier and is unique to an
application ID. If a single user signs into two different apps using two
different client IDs, those apps receive two different values for the
subject claim.


https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#payload-claims

As a result, every existing user appears as a new account after
migration.

To fix this issue, Gitea should use `oid` claim for `UserID`.

> `oid`: This ID uniquely identifies the user across applications - two
different applications signing in the same user receives the same value
in the oid claim.

Note: The `oid` claim is not included in Azure AD tokens by default. The
`profile` scope must be added to the Scopes field of the auth source.
2026-04-16 17:30:46 +00:00

49 lines
1.2 KiB
Go
Raw Blame History

// Copyright 2021 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package oauth2
import (
"code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/modules/json"
)
// Source holds configuration for the OAuth2 login source.
type Source struct {
auth.ConfigBase `json:"-"`
Provider string
ClientID string
ClientSecret string
OpenIDConnectAutoDiscoveryURL string
CustomURLMapping *CustomURLMapping
IconURL string
Scopes []string
RequiredClaimName string
RequiredClaimValue string
GroupClaimName string
AdminGroup string
GroupTeamMap string
GroupTeamMapRemoval bool
RestrictedGroup string
SSHPublicKeyClaimName string
FullNameClaimName string
ExternalIDClaim string
}
// FromDB fills up an OAuth2Config from serialized format.
func (source *Source) FromDB(bs []byte) error {
return json.UnmarshalHandleDoubleEncode(bs, &source)
}
// ToDB exports an OAuth2Config to a serialized format.
func (source *Source) ToDB() ([]byte, error) {
return json.Marshal(source)
}
func init() {
auth.RegisterTypeConfig(auth.OAuth2, &Source{})
}
Reference in New Issue View Git Blame Copy Permalink