Hijacking the gitea login page for SSO


I have sucessfully deployed gitea on a debian buster server, using Apache as a reverse proxy to enable login via our SSO provider (shibboleth).

Initially I set it up to simply force SSO login on the entire site, which worked just fine, but I realized that this made HTTPS checkout of repositories impossible due to the not exactly straightforward login process used in SSO. It also effectively made everything on the site private, which was not great.

Now I instead have forced login only on the /user/login context path, which allows anonymous access to anything that gitea treats as public, while at the same time “hijacking” gitea’s own login page and sending users to sign in using SSO there instead.

From what I have been able to test, this works flawlessly at the moment at least.

My question is how fragile I should expect this to be. Can I count on all (web) authentication enforcement in gitea to always pass via /user/login, or are there situations where this approach would cause problems?