Description
Gitea Version
1.16.2
Git Version
2.30.2
Operating System
Linux
How are you running Gitea?
I'm running the official docker image docker.io/gitea/gitea:1.16.2 on a Kubernetes cluster. I currently use my own manifests and not the one provided by helm.
Database
PostgreSQL
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
https://gist.github.com/ftsell/831eadfeefa162eb1707152fda870a47
Description
I have recently changed the Icon URL of my Oauth2 -> OpenID Connect Authentication Source in Gitea. Immediately afterwards, while validating that the icon works, I noticed that the authentication no longer functions correctly.
After debugging the problem I found that gitea redirects my user agent to a URL in the pattern https://keycloak.…/openid-connect?client_id=gitea&redirect_uri=…&response_type=code&scope=+openid&state=…. If you look closely, you can see an additional (encoded) + character before the requested scope.
My OpenID Connect server does not accept this and redirects back to https://git.…/user/oauth2/Keycloak/callback?error=invalid_scope&error_description=Invalid+scopes%3A++openid&state=….
I also tried to create a new separate authentication source but that one suffers from the same problem.
FYI: I am using Keycloak as an OpenID Connect provider. The log files given in the gist include the relevant part of Kekloak's logs as well as Gitea logs in trace mode.
Screenshots
Gitea just shows a generic 500 page; I don't think that's relevant here.