Adding group claim name for admin and required does not show in gui

[netcicd]

Gitea Version

1.16.0-rc1

Git Version

No response

Operating System

docker: gitea/gitea:1.16.0-rc1

How are you running Gitea?

docker container as part of https://github.com/Devoteam/CICD-toolbox

Database

PostgreSQL

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Description

when running
gitea admin auth update-oauth --id 1 --required-claim-name gitea-admin --admin-group gitea-admin
in the container, this does not show in the gui. Adding these fields in the gui gives 200 in the log, but no entry in the gui

Screenshots

secret in picture is randomly generated

[netcicd]

When set in the GUI, Additional scopes and Group claim name for administrators show up in the database. Required shows up when entered on CLI, not in GUI
When updating entry in GUI, I get a http 500 error, even when nothing changed.

Before update:

{"Provider":"openidConnect","ClientID":"Gitea","ClientSecret":"1057f9ac-3acd-456a-8c06-61180ad9d8a0","OpenIDConnectAutoDiscoveryURL":"http://keycloak.tooling.test:8080/auth/realms/netcicd/.well-known/openid-configuration","CustomURLMapping":{},"IconURL":"","Scopes":[],"RequiredClaimName":"gitea-admin","RequiredClaimValue":"","GroupClaimName":"gitea-group","AdminGroup":"gitea-admin","RestrictedGroup":""}

After update:

{"Provider":"openidConnect","ClientID":"Gitea","ClientSecret":"1057f9ac-3acd-456a-8c06-61180ad9d8a0","OpenIDConnectAutoDiscoveryURL":"http://keycloak.tooling.test:8080/auth/realms/netcicd/.well-known/openid-configuration","CustomURLMapping":{},"IconURL":"","Scopes":[""],"RequiredClaimName":"","RequiredClaimValue":"gitea-admin","GroupClaimName":"","AdminGroup":"","RestrictedGroup":""}

restoring the data makes no difference...

When updated through CLI with gitea admin auth update-oauth --id 1 --required-claim-name gitea-admin --admin-group gitea-admin, it works when I provide the gitea-admin claim but the user is not admin.

When the group-claim-name is updated through the CLI
gitea admin auth update-oauth --id 1 --group-claim-name gitea-group

and a corresponding claim is made in Keycloak:

This is the associated jwt
{
"exp": 1643059571,
"iat": 1643059271,
"auth_time": 1643059248,
"jti": "4ccd708c-efeb-43ed-bfcb-55cf04f3f1c7",
"iss": "http://keycloak.tooling.test:8080/auth/realms/netcicd",
"sub": "060bbc59-b1a2-4bf9-b1cc-ca2bd2541830",
"typ": "Bearer",
"azp": "Gitea",
"session_state": "6943341b-488b-4880-8e7e-148d21035364",
"acr": "0",
"allowed-origins": [
"http://gitea.tooling.test:3000/"
],
"resource_access": {
"Gitea": {
"roles": [
"gitea-admin"
]
}
},
"scope": "openid profile email",
"sid": "6943341b-488b-4880-8e7e-148d21035364",
"email_verified": false,
"gitea-group": [
"gitea-admin"
],
"name": "NetCICD Godmode Godmode",
"gitea-admin": [
"gitea-admin"
],
"preferred_username": "netcicd",
"given_name": "NetCICD Godmode",
"family_name": "Godmode",
"email": "[email protected]"
}

And for an ordinary user:
{
"exp": 1643059860,
"iat": 1643059560,
"auth_time": 1643059560,
"jti": "9797e414-4a90-4068-b508-dd660f6d8413",
"iss": "http://keycloak.tooling.test:8080/auth/realms/netcicd",
"sub": "599b0c23-56f1-427d-a4d1-fe6a601d72cc",
"typ": "Bearer",
"azp": "Gitea",
"session_state": "cd5cd945-422d-46b3-bd3c-1fa8311ae52a",
"acr": "1",
"allowed-origins": [
"http://gitea.tooling.test:3000/"
],
"resource_access": {
"Gitea": {
"roles": [
"gitea-netcicd-read"
]
}
},
"scope": "openid profile email",
"sid": "cd5cd945-422d-46b3-bd3c-1fa8311ae52a",
"email_verified": false,
"gitea-group": [
"gitea-netcicd-read"
],
"name": "Net Dude Dude",
"gitea-admin": [
"gitea-netcicd-read"
],
"preferred_username": "netdude",
"given_name": "Net Dude",
"family_name": "Dude",
"email": "[email protected]"
}

and as shown, the ordinary user is in the group gitea-netcicd-read, this group has read access:

but cannot see the repo:

It would be much more convenient if the implementation would just read the default resource_access claim for the Client_ID where the roles are the group names...

[zeripath]

The rendering in your screenshots appears to be a little odd.

Do you have old custom templates?

[netcicd]

Hi Zeripath,
No custom templates, just the container I downloaded from docker hub. I selected the relevant portions of the screens.
What I'll do is purge my docker images and rebuild.
Nothing changed after rebuild in the images...

[zeripath]

OK the edit page template looks to have suffered a conflict merge at some point and it got broke.

diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index a9942354c..efa440ff3 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -286,6 +286,10 @@
 							<input id="skip_local_two_fa" name="skip_local_two_fa" type="checkbox" {{if $cfg.SkipLocalTwoFA}}checked{{end}}>
 							<p class="help">{{.i18n.Tr "admin.auths.skip_local_two_fa_helper"}}</p>
 						</div>
+					</div>
+					<div class="oauth2_use_custom_url inline field">
+						<div class="ui checkbox">
+							<label><strong>{{.i18n.Tr "admin.auths.oauth2_use_custom_url"}}</strong></label>
 							<input id="oauth2_use_custom_url" name="oauth2_use_custom_url" type="checkbox" {{if $cfg.CustomURLMapping}}checked{{end}}>
 						</div>
 					</div>

would fix the template.