Adding OAuth2/ OpenID Connect to Gitea
I host my own Gitea server, which I use as a self-hosted alternative to GitHub. Over the last couple of days, and for fun, I have been migrating any hosted services that are capable over to supported authentication sources.
If you are not familiar with Gitea, it is an open-source git hosting platform written in Go. It was originally forked from the Gogs project and it takes a lot of design queue from GitHub.
Where I can, I am trying to set up my services to use Azure Active Directory (AAD) as an authentication provider. This post will go through the steps to set up the authentication provider.
Gitea supports many different authentications types, but in this setup, we will be using Oauth2 with OpenID Connect as the provider.
- Log into Gitea, and navigate to
Site Administration,Authentication Sources. Then click onAdd Authentication Source.
2. Fill the form out with the following values;
| Option | Value |
|---|---|
| Authentication Type | OAuth2 |
| Authentication Name | gitea-oauth |
| OAuth2 Provider | OpenID Connect |
| Client ID (Key) | To be created in AAD |
| Client Secret | To be created in AAD |
| Icon URL | Your icon URL |
| OpenID Connect Auto Discovery URL | https://login.microsoftonline.com/TENANT-ID/v2.0/.well-known/openid-configuration |
Leave this window open as we will need to collect values from AAD side of things.
3. Log into AAD , and  navigate to the App Registrations blade.
4. Click on new registration and enter a meaningful name, I called mine Gitea.
Make sure you select your corresponding account type, most will likely be set up to Accounts in this organizational directory only (Tenant Name Here only - Single tenant).
Enter your Redirect URI from what we created from Gitea and click Register.
Your Redirect URI will look something like this;https://mygiteaserver.awesomedomain.com/user/oauth2/<AUTHENTICATION NAME FROM GITEA>/callback
Replace <AUTHENTICATION NAME FROM GITEA> with what you put in the Authentication Name from Gitea. In this example we used gitea-oauth. 5. For Azure to provide the correct authorization flow we need to change out Application Type to Native. This can be done by going into the Manage, Authentication blade in the Azure Portal.
Set Allow public client flow to Yes.
6. Next we need to generate a Client Secret. Navigate to Certificate & Secrets, and create a new client secret.
Set the Client Secret Name, Expiry and click on Add.
7. Copy the Value from the newly create client secret, and paste this into the Client Secret field on the Gitea page.
8. Back in Azure, go back to the Overview page, and copy the Application (client) ID string. This will go into the Client ID (Key) field in Gitea.
9. Finally, we will collect our TenantID from the Overview page, and update our OpenID Connect Auto Discovery URL with the TenantID value.
10. Test it out, go to your Gitea site, click on the OpenID button and sign in with your AAD account and voila you should load straight into your account.
Bonus tip: If you have an existing account already created in Gitea, you can link this new authentication method to an existing account.