-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Gitea Oauth #2622
Add Gitea Oauth #2622
Conversation
With fallback to basic auth if Gitea server does not support oauth
awesome! one question: how does gitea handle the scenario where two separate go routines try to refresh the access token at the same time? this is something that caused issues in early gitlab oauth implementations, so just want to understand a bit more :) |
Tests fail because the above linked PR isn't merged |
I just merged :) |
Thanks @bradrydzewski 😄 |
@jonasfranz could you answer @bradrydzewski's question above? |
@bradrydzewski |
also update the case config.Github.ClientID != "":
return provideGithubClient(config)
- case config.Gitea.Server != "":
+ case config.Gitea.ClientID != "":
return provideGiteaClient(config)
case config.GitLab.ClientID != "":
return provideGitlabClient(config) |
@appleboy I kept |
@techknowlogick Good catch. Thanks for the PR. LGTM. |
Refresh tokens are implemented. You can only use an access token or refresh token once to redeem a new token. |
For context, GitLab had a similar restriction a few years ago that they since removed. Here are some issues that we ran into as a result #855 There are some other documented issues described in these threads: It is very exciting to see oauth support land in Gitea (congrats!) and I look forward to taking advantage of this in Drone. However, we need to solve for these issues before we can merge this pull request, otherwise the current refresh token restrictions will break Drone. |
Great to see that this gets finally integrated |
cmd/drone-server/config/config.go
Outdated
Server string `envconfig:"DRONE_GITEA_SERVER"` | ||
SkipVerify bool `envconfig:"DRONE_GITEA_SKIP_VERIFY"` | ||
Debug bool `envconfig:"DRONE_GITEA_DEBUG"` | ||
Server string `envconfig:"DRONE_GITEA_SERVER" default:"https://try.gitea.io"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this default needs to be removed. An zero value server string is the only way we know if gitea is configured or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch. Thanks :)
I've updated.
@techknowlogick conflicts. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to merge this pull request, we need to address refresh token issues raised in my earlier comment #2622 (comment)
@bradrydzewski do you propose to remove refresh token invalidation after a new token is signed? |
@jonasfranz yes, I think invalidating existing refresh tokens after a new refresh token is generated causes more problems than it solves (see the doorkeeper issues I referenced above). Google and Bitbucket, for example, only invalidate refresh tokens if the user revokes access to the application. Or you could make refresh tokens optional (neither GitLab or GitHub use refresh tokens, although there are security benefits that need to be weighed). |
@techknowlogick |
@bradrydzewski With my latest PR, Gitea will not invalidate refresh tokens by default. But there is an option to enable token invalidation. |
@jonasfranz awesome, can you link to the pull request here. Once it is merged, we can merge this pull request. Also I will need to document the minimum version of Gitea that will be required -- can you let me know which version this will be? Thanks!! |
@bradrydzewski The PR is already merged: go-gitea/gitea#6584 It will be in version 1.8.0 (or 1.8.0-rc3 if we have a rc3). |
@lunny conflict resolved. |
@bradrydzewski Already merged in Gitea. |
excellent. one last request -- can we get an entry for this in the changelog? thanks! |
@bradrydzewski I think yes. This could be in release notes of v1.8. |
what I mean is that we need an entry for this change in Drone's changelog file (in the unreleased section) https://github.com/drone/drone/blob/master/CHANGELOG.md |
@bradrydzewski added |
This works with gitea master? Or also with some stable release? |
@tboerger it works with 1.8.0 which was just released yesterday, but Drone can still work with older versions of gitea using basic auth. |
I've been using it successfully with docker images gitea:v1.8.0-rc3 (and 1.8.0 now that it's released) and drone/drone@sha256:7acfbba60ac6c35537b099ce612aac0af3cdbfa2e48d0ee96730cd4c904b89fa (the sha of the image right after this PR got merged). But there seems to be a little problem with refreshing the gitea token. After a while, I'm no longer to e.g. enable a gitea repo for drone. I'm still logged in and can modify settings within drone. Once I log out and back in, everything is fine. Should I open a separate issue to track the problem? |
@oliver006 between rc3 and final gitea released a patch that should fix the issue you described above. Please feel free to open an issue in gitea tracker if this comes up again. |
Thanks for the quick response @techknowlogick . I tried with Gitea 1.8.0 and the drone/drone image I mentioned above but it's still not working. I get: I checked in the DB, the I'll open an issue in the Gitea project. [edit] |
I think the issue is that if Gitea uses a refresh token, a refresher needs to be configured. See https://github.com/drone/drone/blob/master/cmd/drone-server/inject_login.go#L166 |
This features needs some documentation, or am I missing something on the docs? 😄 |
here are my quick notes for installing:
DRONE_GITEA_CLIENT_ID=XXX
DRONE_GITEA_CLIENT_SECRET=XXX be sure to use latest Probably not enough for a PR to docs but better than no documentation. |
With fallback to basic auth if Gitea server does not support oauth
Linked to drone/go-login#3