website/integrations: update/extend Gitea integration (#3946)
* website/docs: update/extend gitea integration * website/docs: update/extend gitea integration / run prettier * website/integrations: update/extend Gitea integration / switched to database based filtering Co-authored-by: NWHirschfeld <git@nwhirschfeld.de>
This commit is contained in:
parent
bdd8b59ab9
commit
53f3764879
|
@ -13,7 +13,7 @@ Gitea is a community managed lightweight code hosting solution written in Go. It
|
||||||
:::
|
:::
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
This is based on authentik 2021.10.3 and Gitea 1.16.0+rc1 installed using https://docs.gitea.io/en-us/install-from-binary/. Instructions may differ between versions.
|
This is based on authentik 2022.10.1 and Gitea 1.17.3 installed using the official docker image [https://docs.gitea.io/en-us/install-with-docker/](https://docs.gitea.io/en-us/install-with-docker/). Instructions may differ between versions.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
## Preparation
|
## Preparation
|
||||||
|
@ -25,7 +25,7 @@ The following placeholders will be used:
|
||||||
|
|
||||||
### Step 1
|
### Step 1
|
||||||
|
|
||||||
In authentik, create an _OAuth2/OpenID Provider_ (under _Resources/Providers_) with these settings:
|
In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
Only settings that have been modified from default have been listed.
|
Only settings that have been modified from default have been listed.
|
||||||
|
@ -42,7 +42,7 @@ Take note of the `Client ID` and `Client Secret`, you'll need to give them to Gi
|
||||||
|
|
||||||
### Step 2
|
### Step 2
|
||||||
|
|
||||||
In authentik, create an application (under _Resources/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings.
|
In authentik, create an application (under _Applications/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings.
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
Only settings that have been modified from default have been listed.
|
Only settings that have been modified from default have been listed.
|
||||||
|
@ -62,7 +62,7 @@ Change the following fields
|
||||||
- OAuth2 Provider: OpenID Connect
|
- OAuth2 Provider: OpenID Connect
|
||||||
- Client ID (Key): Step 1
|
- Client ID (Key): Step 1
|
||||||
- Client Secret: Step 1
|
- Client Secret: Step 1
|
||||||
- Icon URL: https://goauthentik.io/img/icon.png
|
- Icon URL: https://authentik.company/static/dist/assets/icons/icon.svg
|
||||||
- OpenID Connect Auto Discovery URL: https://authentik.company/application/o/gitea-slug/.well-known/openid-configuration
|
- OpenID Connect Auto Discovery URL: https://authentik.company/application/o/gitea-slug/.well-known/openid-configuration
|
||||||
- Additional Scopes: `email profile`
|
- Additional Scopes: `email profile`
|
||||||
|
|
||||||
|
@ -70,6 +70,85 @@ Change the following fields
|
||||||
|
|
||||||
`Add Authentication Source` and you should be done. Your Gitea login page should now have a `Sign in With` followed by the authentik logo which you can click on to sign-in to Gitea with Authentik creds.
|
`Add Authentication Source` and you should be done. Your Gitea login page should now have a `Sign in With` followed by the authentik logo which you can click on to sign-in to Gitea with Authentik creds.
|
||||||
|
|
||||||
|
### Step 4 _(optional Claims for authorization management)_
|
||||||
|
|
||||||
|
:::note
|
||||||
|
This step is **optional** and shows how to set claims to control the permissions of users in gitea by adding them to groups.
|
||||||
|
:::
|
||||||
|
|
||||||
|
#### Define Groups
|
||||||
|
|
||||||
|
The following groups will be used:
|
||||||
|
|
||||||
|
- `gituser` for normal Gitea users.
|
||||||
|
- `gitadmin` for Gitea users with administrative permissions.
|
||||||
|
- `gitrestricted` for restricted Gitea users.
|
||||||
|
|
||||||
|
:::note
|
||||||
|
Users who are in none of these groups will not be able to log in to gitea.
|
||||||
|
:::
|
||||||
|
|
||||||
|
In authentik, create three groups (under _Directory/Groups_) with the _Name_ as mentioned above and leave other settings untouched.
|
||||||
|
|
||||||
|
:::note
|
||||||
|
You can add Members to the groups now or anytime later.
|
||||||
|
:::
|
||||||
|
|
||||||
|
#### Create Custom Property Mapping
|
||||||
|
|
||||||
|
In authentik, create a custom property mapping (under _Customization/Property Mappings_) which has the type **Scope Mapping**.
|
||||||
|
|
||||||
|
:::note
|
||||||
|
Only settings that have been modified from default have been listed.
|
||||||
|
:::
|
||||||
|
|
||||||
|
- Name: authentik gitea OAuth Mapping: OpenID 'gitea'
|
||||||
|
- Scope name: gitea
|
||||||
|
|
||||||
|
And as **Expression** set the following:
|
||||||
|
|
||||||
|
```(python)
|
||||||
|
gitea_claims = {}
|
||||||
|
if request.user.ak_groups.filter(name="gituser").exists():
|
||||||
|
gitea_claims["gitea"]= "user"
|
||||||
|
if request.user.ak_groups.filter(name="gitadmin").exists():
|
||||||
|
gitea_claims["gitea"]= "admin"
|
||||||
|
if request.user.ak_groups.filter(name="gitrestricted").exists():
|
||||||
|
gitea_claims["gitea"]= "restricted"
|
||||||
|
|
||||||
|
return gitea_claims
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Add the custom Property Mapping to the Gitea Provider
|
||||||
|
|
||||||
|
In authentik, edit the **Gitea** provider (under _Applications/Providers_) by clicking the pencil Icon.
|
||||||
|
|
||||||
|
Unfold the _Advanced protocol settings_ and activate these Mappings:
|
||||||
|
|
||||||
|
- authentik default OAuth Mapping: OpenID 'email'
|
||||||
|
- authentik default OAuth Mapping: OpenID 'profile'
|
||||||
|
- authentik default OAuth Mapping: OpenID 'openid'
|
||||||
|
- authentik gitea OAuth Mapping: OpenID 'gitea'
|
||||||
|
|
||||||
|
Click `Update` and the configuration authentik is done.
|
||||||
|
|
||||||
|
#### Configure Gitea to use the new claims
|
||||||
|
|
||||||
|
Navigate to the _Authentication Sources_ page at https://gitea.company/admin/auths and edit the **authentik** Authentication Source.
|
||||||
|
|
||||||
|
Change the following fields
|
||||||
|
|
||||||
|
- Additional Scopes: `email profile gitea`
|
||||||
|
- Required Claim Name: `gitea`
|
||||||
|
- Claim name providing group names for this source. (Optional): `gitea`
|
||||||
|
- Group Claim value for administrator users. (Optional - requires claim name above): `admin`
|
||||||
|
- Group Claim value for restricted users. (Optional - requires claim name above): `restricted`
|
||||||
|
|
||||||
|
`Update Authentication Source` and you should be done.
|
||||||
|
|
||||||
|
Users without any of the defined groups should no longer be able to log in.
|
||||||
|
Users of the group **gitadmin** should have administrative privileges, and users in the group **gitrestricted** should be restricted.
|
||||||
|
|
||||||
## Helm Chart Configuration
|
## Helm Chart Configuration
|
||||||
|
|
||||||
authentik can be configured automatically in Gitea Kubernetes deployments via it's [Helm Chart](https://gitea.com/gitea/helm-chart/).
|
authentik can be configured automatically in Gitea Kubernetes deployments via it's [Helm Chart](https://gitea.com/gitea/helm-chart/).
|
||||||
|
|
Reference in a new issue