forgejo/templates/user/auth
Johnny Oskarsson a07e67d9cc
Minimal OpenID Connect implementation (#14139)
This is "minimal" in the sense that only the Authorization Code Flow
from OpenID Connect Core is implemented.  No discovery, no configuration
endpoint, and no user scope management.

OpenID Connect is an extension to the (already implemented) OAuth 2.0
protocol, and essentially an `id_token` JWT is added to the access token
endpoint response when using the Authorization Code Flow.  I also added
support for the "nonce" field since it is required to be used in the
id_token if the client decides to include it in its initial request.

In order to enable this extension an OAuth 2.0 scope containing
"openid" is needed. Other OAuth 2.0 requests should not be impacted by
this change.

This minimal implementation is enough to enable single sign-on (SSO)
for other sites, e.g. by using something like `mod_auth_openidc` to
only allow access to a CI server if a user has logged into Gitea.

Fixes: #1310

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: zeripath <art27@cantab.net>
2021-01-02 00:33:27 +08:00
..
activate.tmpl
change_passwd.tmpl
change_passwd_inner.tmpl
finalize_openid.tmpl
forgot_passwd.tmpl
grant.tmpl Minimal OpenID Connect implementation (#14139) 2021-01-02 00:33:27 +08:00
grant_error.tmpl
link_account.tmpl
prohibit_login.tmpl
reset_passwd.tmpl
signin.tmpl
signin_inner.tmpl
signin_navbar.tmpl
signin_openid.tmpl
signup.tmpl
signup_inner.tmpl
signup_openid_connect.tmpl
signup_openid_navbar.tmpl
signup_openid_register.tmpl
twofa.tmpl
twofa_scratch.tmpl
u2f.tmpl
u2f_error.tmpl