ContextQMD
Back to Authelia

Forgejo

docs/content/integration/openid-connect/clients/forgejo/index.md

4.39.196.4 KB
Original Source

Tested Versions

{{% oidc-common %}}

Assumptions

This example makes the following assumptions:

  • Application Root URL: https://forgejo.{{< sitevar name="domain" nojs="example.com" >}}/
  • Authelia Root URL: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/
  • Client ID: forgejo
  • Client Secret: insecure_secret
  • Authentication Name (Forgejo): authelia:
    • This option determines the redirect URI in the format of https://forgejo.{{< sitevar name="domain" nojs="example.com" >}}/user/oauth2/<Authentication Name>/callback. This means if you change this value you need to update the redirect URI.

Some of the values presented in this guide can automatically be replaced with documentation variables.

{{< sitevar-preferences >}}

Configuration

Authelia

The following YAML configuration is an example Authelia client configuration for use with Forgejo which will operate with the application example:

yaml
identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    clients:
      - client_id: 'forgejo'
        client_name: 'Forgejo'
        client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
        public: false
        authorization_policy: 'two_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://forgejo.{{< sitevar name="domain" nojs="example.com" >}}/user/oauth2/authelia/callback'
        scopes:
          - 'openid'
          - 'email'
          - 'profile'
          - 'groups'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'

Application

To configure Forgejo there are two methods, using the Web GUI, or using the CLI.

Web GUI

To configure Forgejo to utilize Authelia as an OpenID Connect 1.0 Provider, use the following instructions:

  1. Expand User Options
  2. Visit Site Administration
  3. Visit Authentication Sources
  4. Visit Add Authentication Source
  5. Configure the following options:
    • Authentication Name: authelia
    • OAuth2 Provider: OpenID Connect
    • Client ID (Key): forgejo
    • Client Secret: insecure_secret
    • OpenID Connect Auto Discovery URL: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/.well-known/openid-configuration
    • Additional scopes: email profile groups
  6. Optionally update the following setting to specify which oidc groups have admin access to Forgejo
    • Claim name providing group names for this source. (Optional)

{{< figure src="forgejo.png" alt="Forgejo" width="300" >}}

CLI

Important Note: Please refer to the Forgejo CLI Guide regarding the correct usage of the CLI.

To configure Forgejo to utilize Authelia as an OpenID Connect 1.0 Provider, use the following instructions:

  1. Run forgejo migrate.
  2. Run forgejo admin auth add-oauth --provider=openidConnect --name=authelia --key=forgejo --secret=insecure_secret --auto-discover-url=https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/.well-known/openid-configuration --scopes='openid email profile groups'

Automatic User Creation

To configure Forgejo to perform automatic user creation for the {{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}} domain via OpenID Connect 1.0:

  1. Edit the following values in the Forgejo app.ini:
ini
[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = true
WHITELISTED_URIS     = {{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}

[service]
DISABLE_REGISTRATION                          = false
ALLOW_ONLY_EXTERNAL_REGISTRATION              = true
SHOW_REGISTRATION_BUTTON                      = false

Optional Configuration

Authelia

To configure Forgejo to sync ssh public keys from Authelia you can define sshpubkey as a multi-valued Extra Attribute and combine the following configuration with the configuration.yml above.

yaml
identity_providers:
  oidc:
    claims_policies:
      forgejo:
        custom_claims:
          sshpubkey: {}
    scopes:
      forgejo:
        claims:
          - sshpubkey
    clients:
      - client_id: 'forgejo'
        claims_policy: 'forgejo'
        scopes:
          - 'forgejo'

Application

Forgejo configuration largely follows the instructions from Web GUI and CLI

Web GUI

Follow the instructions in Web GUI with the following additions

  1. Configure the following options:
    • Additional scopes: email profile groups forgejo
    • Public SSH key attribute: sshpubkey

{{< figure src="forgejo-sshpubkey.png" alt="Forgejo" width="300" >}}

CLI

Follow the instructions from CLI, and change the following command:

  1. Run forgejo admin auth add-oauth --auto-discover-url=https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/.well-known/openid-configuration --name=authelia --provider=openidConnect --key=forgejo --secret=insecure_secret --scopes='openid email profile groups forgejo' --attribute-ssh-public-key=sshpubkey

See Also