Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,472 questions
Azure app registration and Gitea OAuth2 - "issuer" property of .well-known/openid-configuration doesn't work for "common" or "organizations", but works for "consumers"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 0%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Claire
1
Reputation point
My server setup: Gitea 1.11.6 running on Arch Linux. I'm using Microsoft's OAuth2 service as an authentication provider. If I use the common endpoint, Gitea throws a 500 error and logs the following:
routers/user/auth.go:601:handleOAuth2SignIn() [E] UserSignIn: oauth2: error validating JWT token: issuer in token does not match issuer in OpenIDConfig discovery
If I use the consumers endpoint, everything immediately works as expected, and Gitea allows me to create an account (or link an existing one) with my Microsoft account as the authentication provider.
I noticed in the actual openid-configuration response from Microsoft, the "common" and "organizations" endpoints both have "{tenant}" in the string value for "issuer", whereas "consumers" returns a GUID.
"issuer": "https://login.microsoftonline.com/{tenantid}/v2.0",
"issuer": "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
It seems like maybe something's wrong with the "issuer" property in the common endpoint response. I'm not sure why else Gitea would be throwing a token issuer mismatch error.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee2020-06-26T22:35:26.673+00:00 Hello! Could you tell me which tutorial or document you are following for this?
I found an open issue related to Gitea not sending the client_id to the OIDC server but I'm not sure if this is related. https://github.com/go-gitea/gitea/issues/5925
-
Claire 1 Reputation point
2020-06-27T15:39:02.26+00:00 Howdy! I don't think that issue you linked is related - that has to do with Gitea not sending the right information to the OAuth2 endpoint.
This is the blog post I used for my config.
I also filed this issue with Azure for this, and it turns out it's a known problem and something that isn't fixable without major changes to the code base for Azure's OAuth2 implementation. Unfortunately, this means you can only use Gitea's OAuth2 implementation with either a specific AAD tenant, or the consumers endpoint, which is for Microsoft Account users and returns a unique tenant ID by the Azure auth endpoint.
I also filed this issue with Gitea, so hopefully they can release a patch that mitigates this.
Sign in to comment