Gitea as an OpenID-2.0 provider

[strk]

Now that OpenID instances can be configured to accept an OpenID login, it could be nice if they ccould also serve as OpenID providers so to build what would become the authentication layer of a federation of code repositories. See also #184

[jhasse]

It isn't necessary, but it makes it easier as you don't have to create a traditional account on every Gitea instance where you want to open a pull request (and you don't have or don't want to use a different OpenID provider).

[MaxG87]

Albeit this thread is quiet for some time I want to add some points for the sake of the argument.

If you can setup your own gitea-instance you can setup your own OpenID provider.

And instantly you have to maintain two systems instead of one. Because a project decided not to contribute to infrastructure it partly relies on. And maintaining more systems in a self-hosting setting means much more opportunity to miss important updates.

Furthermore, at least for me, the condition of free, decentralised OpenID infrastructure seems to be quite bad. You can reuse the logins of your accounts at the usual tech giants, but only because someone hardcoded the support for them. I hardly know a service where you can use OpenID tokens from the provider of your choice. I also don't know providers of such tokens that could be used freely. All I know off is the possibility to integrate third-party-logins in your website for preselected third parties.

Long story short: OpenID needs more providers, otherwise Giteas OpenID feature cannot be used in a decentralised way. Gitea should be such a provider to reduce required mainenance efforts in self-hosting settings.

I really don't get why Gitea has to be a provider for everything

It is only about OpenID, isn't it? For me, this seems to be much less than everything.

[lunny]

Since Gitea now could be as OAuth2 provider, that's not too difficult.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[strk]

I still think this is an important feature. Since Gitea does support OpenID-2.0, by acting as a provider would allow accessing all enabled Gitea instances via identity provided by your own. A big step toward federation.

[zeripath]

If you put links to the specs in this issue anyone that's interested in building this functionality will have an easier time doing it.

[6543]

gitea now can act as openID provider - so close this issue?

[lunny]

Which PR resolved this?

[6543]

https://docs.gitea.io/en-us/oauth2-provider/?

[jolheiser]

https://docs.gitea.io/en-us/oauth2-provider/?

OpenID is not OAuth2

For example, OAuth2 allows another service to access the Gitea API on your behalf, whereas OpenID would allow another service to treat your Gitea account as a valid account on their platform.
Apologies if that's not 100% correct, but it's my understanding of it on a high-level.

EDIT: This StackOverflow question answers it better than I did.

[philpraxis]

That would be great if Gitea can become OpenID Connect provider !
I don't know if I can ask, but let's go: Can someone familiar with the code explain the level of complexity (or days / weeks / months dev time) that such feature would need?

[strk]

I think we want discovery for this ticket to be closed. Without discovery a Gitea instance could not be used as an identity provider for other Gitea instances. This ticket was about OpenID-2.0 for this reason (decentralization of identities)

[strk]

Why was this closed ? There's no discovery implemented.

[6543]

@strk I think so: https://try.gitea.io/.well-known/openid-configuration

[strk]

But that's for oath, not OpenID-2.0, right ?

[6543]

hmm I thought it is for OpenID, to auto-discover things ...

[cweiske]

That is OpenID connect. OpenID 2 is something completely different :(