Description
- Gitea version (or commit ref): 1.11.6
- Git version: 2.27.0
- Operating system: Arch Linux, kernel 5.6.15-arch1-1
- Database (use
[x]):- MySQL (MirandaDB)
- Can you reproduce the bug at https://try.gitea.io:
- Not relevant
Description
A related bug was filed with Azure awhile ago, and I confirmed with that team that this bug is not in the roadmap to be fixed any time soon, because doing so requires considerable engineering effort. That bug is here:
https://github.com/MicrosoftDocs/azure-docs/issues/38427
The TL;DR is that Azure's endpoint doesn't actually return a valid issuer URI in the .well-known response from the endpoint, if you are trying to use either the common or organizations endpoints. When you try to hit either of these, the .well-known response looks like this:
"issuer": "https://login.microsoftonline.com/{tenantid}/v2.0"
The correct issuer is in the URL of the .well-known config itself:
https://login.microsoftonline.com/organizations/v2.0/.well-known/openid-configuration
Gitea checks the issuer in the .well-known response, and since it doesn't match, it throws an HTTP 500 error after successful authentication.
I think this can be addressed one of two ways:
- Add a warning if the user tries to use either common or organizations with Microsoft's OAuth2 endpoint
- Programmatically fix the issuer URL in the response so Gitea doesn't complain about issuer mismatch
Alternatively, maybe Microsoft can be added as a preconfigured OAuth2 provider. I'm not a Go dev but I can help answer any questions related to Microsoft's implementation.
Activity