Description
Description
Our Gitea instance connects to an external identity provider for unified identity management. I was adding a custom scope and a claim field to OIDC to let accounts in a certain OIDC group have Gitea instance administrator privilege. In "Edit Authentication Source" page I filled:
- "Additional Scopes"
- "Required Claim Name"
- "Required Claim Value"
- "Claim name providing group names for this source"
- "Group Claim value for administrator users"
- "Group Claim value for restricted users"
However, I noticed that OAuth url generated by Gitea wasn't including the custom scope, without which led to login prohibited by Gitea, as a result of absence of the custom claim field, which in turn was a result of absence of the custom scope, no matter how I modified "Additional Scopes". Troubleshot for hours long, I finally found that "OPENID_CONNECT_SCOPES" (https://github.com/go-gitea/gitea/blob/main/services/auth/source/oauth2/providers_openid.go#L37) will override "Additional Scopes" (https://github.com/go-gitea/gitea/blob/main/routers/web/admin/auths.go#L184) set in "Edit Authentication Source", making it literally useless before I removed the config item.
No error log.
Similar issue I looked at: #31612
Gitea Version
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
Git Version
No response
Operating System
No response
How are you running Gitea?
Docker compose
Database
PostgreSQL