Gitea user authentication with external users still needs local password

Install/Maintain/Configure

OCram85 July 10, 2024, 10:53am 1

Hey folks, I recently switched to Authentik as IDPin front of our Gitea instances.

So I also configured Gitea to only accept external oauth2 accounts from Authentik which gets the users and groups from connected Active Directories.

I just noticed, that the users still need to set an local Gitea password in their profile to access their repos.

Is there a way to avoid this?

btw. - I already tested the config keys

• REQUIRE_EXTERNAL_REGISTRATION_PASSWORD: Expected password prompt after redirected oauth login but user still lands on his dashboard after registration.
• ACCOUNT_LINKING=disabled → disables wrong account linking if underling user directory doesn’t handle email field as unique.

---

Used gitea config:

environment:
  GITEA__actions__DEFAULT_ACTIONS_URL: "https://foobar.com"
  GITEA__actions__ENABLED: "true"
  GITEA__admin__DEFAULT_EMAIL_NOTIFICATIONS: "enabled"
  GITEA__admin__DISABLE_REGULAR_ORG_CREATION: "true"
  GITEA__database__DB_TYPE: "postgres"
  GITEA__database__HOST: "${$DB_HOST}"
  GITEA__database__NAME: "${DB_NAME}"
  GITEA__database__PASSWD: "${$DB_PASSWD}"
  GITEA__database__USER: "${DB_USER}"
  GITEA__default__APP_NAME: "My Gitea"
  GITEA__mailer__ENABLED: "true"
  GITEA__mailer__PROTOCOL: "smtp"
  GITEA__mailer__SMTP_ADDR: "mx.foobar.com"
  GITEA__mailer__SMTP_PORT: "25"
  GITEA__migrations__ALLOW_LOCALNETWORKS: "true"
  GITEA__oauth2_client__ACCOUNT_LINKING: "disabled"
  GITEA__openid__ENABLE_OPENID_SIGNIN: "true"
  GITEA__openid__ENABLE_OPENID_SIGNUP: "true"
  GITEA__openid__WHITELISTED_URIS: "auth.foobar.com"
  GITEA__server__DISABLE_SSH: "true"
  GITEA__server__ROOT_URL: "https://code.foobar.com"
  GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "true"
  GITEA__service__DISABLE_REGISTRATION: "false"
  GITEA__service__EMAIL_DOMAIN_ALLOWLIST: "foobar.com"
  GITEA__service__ENABLE_NOTIFY_MAIL: "true"
  GITEA__service__NO_REPLY_ADDRESS: "noreply@code.foobar.com"
  GITEA__service__REGISTER_EMAIL_CONFIRM: "true"
  GITEA__service__REGISTER_MANUAL_CONFIRM: "false"
  GITEA__service__REQUIRE_EXTERNAL_REGISTRATION_PASSWORD: "true"
  GITEA__service__REQUIRE_SIGNIN_VIEW: "true"
  GITEA__service__SHOW_REGISTRATION_BUTTON: "false"
  GITEA__webhook__ALLOWED_HOST_LIST: "*.foobar.com"
  USER_GID: "1000"
  USER_UID: "1000"

micaelsilva July 23, 2025, 9:51pm 2

You need the option GITEA__oauth2_client__ENABLE_AUTO_REGISTRATION to make Gitea automatically create users. But it only works if the username doesnt exists locally yet, in that case it will ask for the password

You can manually link those users changing the authentication source on the admin interface and using their user UUID in Authentication Sign-In Name, at least that is the field that Keycloak uses.

1 Like

Related topics

Topic		Replies	Views	Activity
Disable password registration entirely , use only oauth Install/Maintain/Configure	3	5639	February 12, 2019
Ho to change Gitea user account type? Gitea Usages	3	171	November 29, 2024
Gitea 1.11.5 - no UI displays to register a new user with third party auth Install/Maintain/Configure	1	548	June 21, 2020
OpenID authentication with prefilled username for new accounts? Install/Maintain/Configure	8	3193	February 6, 2025
OAuth OpenID without using local user Install/Maintain/Configure	0	780	October 31, 2019