OpenID redirect loop #26097
Comments
|
The chain of requests from jenkins to the initial gitea login page:
|
|
The strange thing is the cookie set by the first call to A redirect to a redirect? |
|
Same thing happened for a colleague of mine this morning. Interesting enough, for me personally it does work, but unlike my colleague I have 2FA enabled, so I first see that page, and then the redirect does work correctly. |
We found the cause of the loop, the redirect_uri parameter was not specified in the URL-encoded format. It might help in other cases too. |
|
@evgnblkn how did you solve it then? |
|
Is there any solution? |
|
We're having the same issue using Gitea as an OAuth provider for our static websites (using https://plenti.co/).
If there is already an active login directly to Gitea, it works for us as well.
Same, the login page just refreshes when clicking "Sign in" and it
We noticed something similar, it used to work in prior versions but somewhere around this version (we're not sure exactly when), we started having this issue. |
Using encodeURIComponent() ended up working for us too. Broken: const url = authProvider.authUrl + env.cms.redirectUrl;
window.open(url, "_self", "");Working: const url = authProvider.authUrl + encodeURIComponent(env.cms.redirectUrl);
window.open(url, "_self", ""); |
|
Just to confirm but the At least the builtin applications don't follow that either: Lines 59 to 73 in 5e72526 |
That's a different problem. For For the redirecting problem, I haven't got enough time to get a reproducible setup. So, if there would be a prepared reproducible environment/setup (eg: by docker compose), I could spend time on debugging it. |
|
Maybe #28529 is the same issue? |
This comment was marked as outdated.
This comment was marked as outdated.
|
I think most "redirect loop" problems could be fixed by: -> Use strict protocol check when redirect #29642 It would be helpful if you could build your own binary to test the patch. Thank you very much. (or wait for 1.21 nightly, I think it could be ready soon) |
|
The 1.21 nightly (pre-1.21.8) is ready, it is a stable release and will become 1.21.8 soon. Please take a try, if the problem is still not resolved, please help to provide more details. Thank you! Get 1.21 nightly: |
wxiaoguang
added
the
issue/needs-feedback
Confirmed 👍 I just tested the nightly version in a private window by trying to log in to our Jenkins instance. Everything works as expected without any funzies. |
|
Thank you very much for the confirm. I think this issue could be closed. If there is any new problem, feel free to report 🙏 And sorry for the inconvenience caused by the bug. |
Description
I'm using gitea as an OpenID provider for Jenkins. Everything works as long as the user is already logged into gitea. If there's no valid Jenkins/gitea session, the user is properly guided to the gitea login page. The problem starts after hitting the Login button:
The initial POST request to
/user/logincontains the username and password entered in the login form. The server answers with a HTTP 303 status code and the location/login/oauth/authorizewith a few query parameters. Theredirect_uriparameter of this request points to my Jenkins instance: https://jenkins.mydomain.com/securityRealm/finishLoginThe problem is that this ends up in a redirect loop as
/login/oauth/authorizewill also answer with HTTP 303 pointing to/user/login. Firefox ultimately errors out with aNS_ERROR_REDIRECT_LOOP.The authentication itself works though. I can successfully open gitea or jenkins afterwards with a valid user session.
The configuration in Jenkins is pretty barebones:
Gitea Version
1.20.1
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
Binary started via systemd behind a caddy reverse proxy.
Database
PostgreSQL
The text was updated successfully, but these errors were encountered: