Gitea user authentication with external users still needs local password

Install/Maintain/Configure

OCram85 July 10, 2024, 10:53am 1

Hey folks, I recently switched to Authentik as IDPin front of our Gitea instances.

So I also configured Gitea to only accept external oauth2 accounts from Authentik which gets the users and groups from connected Active Directories.

I just noticed, that the users still need to set an local Gitea password in their profile to access their repos.

Is there a way to avoid this?

btw. - I already tested the config keys

• REQUIRE_EXTERNAL_REGISTRATION_PASSWORD: Expected password prompt after redirected oauth login but user still lands on his dashboard after registration.
• ACCOUNT_LINKING=disabled → disables wrong account linking if underling user directory doesn’t handle email field as unique.

---

Used gitea config:

environment:
  GITEA__actions__DEFAULT_ACTIONS_URL: "https://foobar.com"
  GITEA__actions__ENABLED: "true"
  GITEA__admin__DEFAULT_EMAIL_NOTIFICATIONS: "enabled"
  GITEA__admin__DISABLE_REGULAR_ORG_CREATION: "true"
  GITEA__database__DB_TYPE: "postgres"
  GITEA__database__HOST: "${$DB_HOST}"
  GITEA__database__NAME: "${DB_NAME}"
  GITEA__database__PASSWD: "${$DB_PASSWD}"
  GITEA__database__USER: "${DB_USER}"
  GITEA__default__APP_NAME: "My Gitea"
  GITEA__mailer__ENABLED: "true"
  GITEA__mailer__PROTOCOL: "smtp"
  GITEA__mailer__SMTP_ADDR: "mx.foobar.com"
  GITEA__mailer__SMTP_PORT: "25"
  GITEA__migrations__ALLOW_LOCALNETWORKS: "true"
  GITEA__oauth2_client__ACCOUNT_LINKING: "disabled"
  GITEA__openid__ENABLE_OPENID_SIGNIN: "true"
  GITEA__openid__ENABLE_OPENID_SIGNUP: "true"
  GITEA__openid__WHITELISTED_URIS: "auth.foobar.com"
  GITEA__server__DISABLE_SSH: "true"
  GITEA__server__ROOT_URL: "https://code.foobar.com"
  GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
  GITEA__service__DISABLE_REGISTRATION: "false"
  GITEA__service__EMAIL_DOMAIN_ALLOWLIST: "foobar.com"
  GITEA__service__ENABLE_NOTIFY_MAIL: "true"
  GITEA__service__NO_REPLY_ADDRESS: "noreply@code.foobar.com"
  GITEA__service__REGISTER_EMAIL_CONFIRM: "true"
  GITEA__service__REGISTER_MANUAL_CONFIRM: "false"
  GITEA__service__REQUIRE_EXTERNAL_REGISTRATION_PASSWORD: "true"
  GITEA__service__REQUIRE_SIGNIN_VIEW: "true"
  GITEA__service__SHOW_REGISTRATION_BUTTON: "false"
  GITEA__webhook__ALLOWED_HOST_LIST: "*.foobar.com"
  USER_GID: "1000"
  USER_UID: "1000"