From 53f37648797b77f344e46477f9a83837f3913a5d Mon Sep 17 00:00:00 2001 From: NWHirschfeld Date: Tue, 13 Dec 2022 12:02:49 +0100 Subject: [PATCH] website/integrations: update/extend Gitea integration (#3946) * website/docs: update/extend gitea integration * website/docs: update/extend gitea integration / run prettier * website/integrations: update/extend Gitea integration / switched to database based filtering Co-authored-by: NWHirschfeld --- website/integrations/services/gitea/index.md | 87 +++++++++++++++++++- 1 file changed, 83 insertions(+), 4 deletions(-) diff --git a/website/integrations/services/gitea/index.md b/website/integrations/services/gitea/index.md index 77166e75f..400c0222d 100644 --- a/website/integrations/services/gitea/index.md +++ b/website/integrations/services/gitea/index.md @@ -13,7 +13,7 @@ Gitea is a community managed lightweight code hosting solution written in Go. It ::: :::note -This is based on authentik 2021.10.3 and Gitea 1.16.0+rc1 installed using https://docs.gitea.io/en-us/install-from-binary/. Instructions may differ between versions. +This is based on authentik 2022.10.1 and Gitea 1.17.3 installed using the official docker image [https://docs.gitea.io/en-us/install-with-docker/](https://docs.gitea.io/en-us/install-with-docker/). Instructions may differ between versions. ::: ## Preparation @@ -25,7 +25,7 @@ The following placeholders will be used: ### Step 1 -In authentik, create an _OAuth2/OpenID Provider_ (under _Resources/Providers_) with these settings: +In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings: :::note Only settings that have been modified from default have been listed. @@ -42,7 +42,7 @@ Take note of the `Client ID` and `Client Secret`, you'll need to give them to Gi ### Step 2 -In authentik, create an application (under _Resources/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings. +In authentik, create an application (under _Applications/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings. :::note Only settings that have been modified from default have been listed. @@ -62,7 +62,7 @@ Change the following fields - OAuth2 Provider: OpenID Connect - Client ID (Key): Step 1 - Client Secret: Step 1 -- Icon URL: https://goauthentik.io/img/icon.png +- Icon URL: https://authentik.company/static/dist/assets/icons/icon.svg - OpenID Connect Auto Discovery URL: https://authentik.company/application/o/gitea-slug/.well-known/openid-configuration - Additional Scopes: `email profile` @@ -70,6 +70,85 @@ Change the following fields `Add Authentication Source` and you should be done. Your Gitea login page should now have a `Sign in With` followed by the authentik logo which you can click on to sign-in to Gitea with Authentik creds. +### Step 4 _(optional Claims for authorization management)_ + +:::note +This step is **optional** and shows how to set claims to control the permissions of users in gitea by adding them to groups. +::: + +#### Define Groups + +The following groups will be used: + +- `gituser` for normal Gitea users. +- `gitadmin` for Gitea users with administrative permissions. +- `gitrestricted` for restricted Gitea users. + +:::note +Users who are in none of these groups will not be able to log in to gitea. +::: + +In authentik, create three groups (under _Directory/Groups_) with the _Name_ as mentioned above and leave other settings untouched. + +:::note +You can add Members to the groups now or anytime later. +::: + +#### Create Custom Property Mapping + +In authentik, create a custom property mapping (under _Customization/Property Mappings_) which has the type **Scope Mapping**. + +:::note +Only settings that have been modified from default have been listed. +::: + +- Name: authentik gitea OAuth Mapping: OpenID 'gitea' +- Scope name: gitea + +And as **Expression** set the following: + +```(python) +gitea_claims = {} +if request.user.ak_groups.filter(name="gituser").exists(): + gitea_claims["gitea"]= "user" +if request.user.ak_groups.filter(name="gitadmin").exists(): + gitea_claims["gitea"]= "admin" +if request.user.ak_groups.filter(name="gitrestricted").exists(): + gitea_claims["gitea"]= "restricted" + +return gitea_claims +``` + +#### Add the custom Property Mapping to the Gitea Provider + +In authentik, edit the **Gitea** provider (under _Applications/Providers_) by clicking the pencil Icon. + +Unfold the _Advanced protocol settings_ and activate these Mappings: + +- authentik default OAuth Mapping: OpenID 'email' +- authentik default OAuth Mapping: OpenID 'profile' +- authentik default OAuth Mapping: OpenID 'openid' +- authentik gitea OAuth Mapping: OpenID 'gitea' + +Click `Update` and the configuration authentik is done. + +#### Configure Gitea to use the new claims + +Navigate to the _Authentication Sources_ page at https://gitea.company/admin/auths and edit the **authentik** Authentication Source. + +Change the following fields + +- Additional Scopes: `email profile gitea` +- Required Claim Name: `gitea` +- Claim name providing group names for this source. (Optional): `gitea` +- Group Claim value for administrator users. (Optional - requires claim name above): `admin` +- Group Claim value for restricted users. (Optional - requires claim name above): `restricted` + +`Update Authentication Source` and you should be done. + +Users without any of the defined groups should no longer be able to log in. +Users of the group **gitadmin** should have administrative privileges, and users in the group **gitrestricted** should be restricted. + ## Helm Chart Configuration authentik can be configured automatically in Gitea Kubernetes deployments via it's [Helm Chart](https://gitea.com/gitea/helm-chart/).