go-gitea · tiltingpenguin · Nov 17, 2022 · Nov 23, 2022 · Jan 5, 2023 · Jan 5, 2023
diff --git a/cmd/admin.go b/cmd/admin.go
@@ -826,6 +826,7 @@ func parseOAuth2Config(c *cli.Context) *oauth2.Source {
 		CustomURLMapping:              customURLMapping,
 		IconURL:                       c.String("icon-url"),
 		SkipLocalTwoFA:                c.Bool("skip-local-2fa"),
+		ForceOAuth:                    c.Bool("force-configured-oauth"),
 		Scopes:                        c.StringSlice("scopes"),
 		RequiredClaimName:             c.String("required-claim-name"),
 		RequiredClaimValue:            c.String("required-claim-value"),
@@ -914,6 +915,9 @@ func runUpdateOauth(c *cli.Context) error {
 	if c.IsSet("restricted-group") {
 		oAuth2Config.RestrictedGroup = c.String("restricted-group")
 	}
+	if c.IsSet("force-oauth") {
+		oAuth2Config.ForceOAuth = c.BoolT("force-oauth")
+	}
 
 	// update custom URL mapping
 	customURLMapping := &oauth2.CustomURLMapping{}

diff --git a/options/locale/locale_de-DE.ini b/options/locale/locale_de-DE.ini
@@ -2663,6 +2663,8 @@ auths.oauth2_profileURL=Profil-URL
 auths.oauth2_emailURL=E-Mail-URL
 auths.skip_local_two_fa=Lokale 2FA überspringen
 auths.skip_local_two_fa_helper=Leer lassen bedeutet, dass lokale User die 2FA immer noch bestehen müssen, um sich anzumelden
+auths.force_oauth=Anmelden durch diese Quelle erzwingen
+auths.force_oauth_helper=Setzen um Anmeldungen automatisch auf diesen OAuth Anbieter umzuleiten
 auths.oauth2_tenant=Inhaber
 auths.oauth2_scopes=Zusätzliche Bereiche
 auths.oauth2_required_claim_name=Benötigter Claim-Name

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
@@ -2680,6 +2680,8 @@ auths.oauth2_profileURL = Profile URL
 auths.oauth2_emailURL = Email URL
 auths.skip_local_two_fa = Skip local 2FA
 auths.skip_local_two_fa_helper = Leaving unset means local users with 2FA set will still have to pass 2FA to log on
+auths.force_oauth = Force login via this authentication
+auths.force_oauth_helper = Set this to automatically redirect sign in to this OAuth provider
 auths.oauth2_tenant = Tenant
 auths.oauth2_scopes = Additional Scopes
 auths.oauth2_required_claim_name = Required Claim Name

diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go
@@ -205,6 +205,7 @@ func parseOAuth2Config(form forms.AuthenticationForm) *oauth2.Source {
 		GroupClaimName:                form.Oauth2GroupClaimName,
 		RestrictedGroup:               form.Oauth2RestrictedGroup,
 		AdminGroup:                    form.Oauth2AdminGroup,
+		ForceOAuth:                    form.ForceOAuth,
 	}
 }
 

diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
@@ -146,6 +146,24 @@ func checkAutoLogin(ctx *context.Context) bool {
 	return false
 }
 
+func checkForceOAuth(ctx *context.Context) bool {
+	// Check if authentication is forced to OAuth
+
+	authSources, err := auth.GetActiveOAuth2ProviderSources()
+	if err != nil {
+		return false
+	}
+
+	for _, source := range authSources {
+		if source.Cfg.(*oauth2.Source).ForceOAuth {
+			ctx.RedirectToFirst(setting.AppSubURL + "/user/login/openid")
+			return true
+		}
+	}
+
+	return false
+}
+
 // SignIn render sign in page
 func SignIn(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("sign_in")
@@ -155,6 +173,11 @@ func SignIn(ctx *context.Context) {
 		return
 	}
 
+	// Check if authentication is forced to OAuth
+	if checkForceOAuth(ctx) {
+		return
+	}
+
 	orderedOAuth2Names, oauth2Providers, err := oauth2.GetActiveOAuth2Providers()
 	if err != nil {
 		ctx.ServerError("UserSignIn", err)

diff --git a/services/auth/source/oauth2/source.go b/services/auth/source/oauth2/source.go
@@ -24,6 +24,7 @@ type Source struct {
 	OpenIDConnectAutoDiscoveryURL string
 	CustomURLMapping              *CustomURLMapping
 	IconURL                       string
+	ForceOAuth                    bool `json:",omitempty"`
 
 	Scopes             []string
 	RequiredClaimName  string

diff --git a/services/forms/auth_form.go b/services/forms/auth_form.go
@@ -60,6 +60,7 @@ type AuthenticationForm struct {
 	Oauth2Key                     string
 	Oauth2Secret                  string
 	OpenIDConnectAutoDiscoveryURL string
+	ForceOAuth                    bool
 	Oauth2UseCustomURL            bool
 	Oauth2TokenURL                string
 	Oauth2AuthURL                 string

diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
@@ -299,6 +299,13 @@
 							<p class="help">{{.locale.Tr "admin.auths.skip_local_two_fa_helper"}}</p>
 						</div>
 					</div>
+					<div class="optional field">
+						<div class="ui checkbox">
+							<label for="force_oauth"><strong>{{.locale.Tr "admin.auths.force_oauth"}}</strong></label>
+							<input id="force_oauth" name="force_oauth" type="checkbox" {{if $cfg.ForceOAuth}}checked{{end}}>
+							<p class="help">{{.locale.Tr "admin.auths.force_oauth_helper"}}</p>
+						</div>
+					</div>
 					<div class="oauth2_use_custom_url inline field">
 						<div class="ui checkbox">
 							<label><strong>{{.locale.Tr "admin.auths.oauth2_use_custom_url"}}</strong></label>

diff --git a/templates/admin/auth/source/oauth.tmpl b/templates/admin/auth/source/oauth.tmpl
@@ -35,6 +35,13 @@
 			<p class="help">{{.locale.Tr "admin.auths.skip_local_two_fa_helper"}}</p>
 		</div>
 	</div>
+	<div class="optional field">
+		<div class="ui checkbox">
+			<label for="force_oauth"><strong>{{.locale.Tr "admin.auths.force_oauth"}}</strong></label>
+			<input id="force_oauth" name="force_oauth" type="checkbox" {{if .force_oauth}}checked{{end}}>
+			<p class="help">{{.locale.Tr "admin.auths.force_oauth_helper"}}</p>
+		</div>
+	</div>
 
 	<div class="oauth2_use_custom_url inline field">
 		<div class="ui checkbox">