setup gitea as oauth idP behind nginx sub-path fail

[tryagaintsai]

Description

i want to setup gitea as oauth idP hebind nginx sub-path, but i get some error message

case 1: setup gitea as oauth idP behind nginx location / , it worked fine and passed auth_request page

location / {
        proxy_pass http://gitea:3000;
        proxy_set_header Connection $http_connection;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
}

2024/04/24 07:41:26 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/authorize?approval_prompt=force&client_id=541a70cb-a7f3-4ec0-82bf-43278e7e79d3&code_challenge=SQcJLZzPg_1StgcGYm5h6ZbmaBUwcAh0Op2TMSW8jU4&code_challenge_method=S256&redirect_uri=https%3A%2F%2F10.168.104.100%3A3333%2Foauth2base%2Fcallback&response_type=code&scope=openid+email+profile+groups&state=agdZc27rCmAQfrPQ4x7oH1e2Io99eRATsZXbeJcDU1E%3A%2Fbase%2F for 192.168.188.23:0, 303 See Other in 18.6ms @ web/web.go:139(web.registerRoutes.verifyAuthWithOptions)
2024/04/24 07:41:26 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/login for 192.168.188.23:0, 200 OK in 15.6ms @ auth/auth.go:146(auth.SignIn)
2024/04/24 07:41:29 ...eb/routing/logger.go:102:func1() [I] router: completed POST /user/login for 192.168.188.23:0, 303 See Other in 114.5ms @ auth/auth.go:179(auth.SignInPost)
2024/04/24 07:41:29 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/authorize?approval_prompt=force&client_id=541a70cb-a7f3-4ec0-82bf-43278e7e79d3&code_challenge=SQcJLZzPg_1StgcGYm5h6ZbmaBUwcAh0Op2TMSW8jU4&code_challenge_method=S256&redirect_uri=https%3A%2F%2F10.168.104.100%3A3333%2Foauth2base%2Fcallback&response_type=code&scope=openid+email+profile+groups&state=agdZc27rCmAQfrPQ4x7oH1e2Io99eRATsZXbeJcDU1E%3A%2Fbase%2F for 192.168.188.23:0, 303 See Other in 4.6ms @ auth/oauth.go:362(auth.AuthorizeOAuth)
2024/04/24 07:41:29 ...eb/routing/logger.go:102:func1() [I] router: completed POST /login/oauth/access_token for 10.17.54.1:0, 200 OK in 126.3ms @ auth/oauth.go:618(auth.AccessTokenOAuth)
2024/04/24 07:41:29 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/user/orgs?page=1&per_page=100 for 10.17.54.1:0, 200 OK in 4.7ms @ org/org.go:55(org.ListMyOrgs)
2024/04/24 07:41:29 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/user/orgs?page=2&per_page=100 for 10.17.54.1:0, 200 OK in 3.5ms @ org/org.go:55(org.ListMyOrgs)
2024/04/24 07:41:29 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/user/teams?page=1&per_page=100 for 10.17.54.1:0, 200 OK in 4.0ms @ org/team.go:76(org.ListUserTeams)
2024/04/24 07:41:29 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/user/teams?page=2&per_page=100 for 10.17.54.1:0, 200 OK in 3.1ms @ org/team.go:76(org.ListUserTeams)
2024/04/24 07:41:29 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/user/emails for 10.17.54.1:0, 200 OK in 10.5ms @ user/email.go:20(user.ListEmails)
2024/04/24 07:41:29 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/user for 10.17.54.1:0, 200 OK in 2.4ms @ user/user.go:123(user.GetAuthenticatedUser)
2024/04/24 07:41:29 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/user/emails for 10.17.54.1:0, 200 OK in 2.7ms @ user/email.go:20(user.ListEmails)

case 2: setup gitea as oauth idP behind nginx location /gitea/ ,and got 404 Not Found on gitea, 500 on oauth2-proxy

location /gitea/ {  
        # make nginx use unescaped URI, keep "%2F" as is
        rewrite ^ $request_uri;
        rewrite ^/gitea(/.*) $1 break;
        proxy_pass http://gitea:3000$uri;
        proxy_set_header Connection $http_connection;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    } 

2024/04/24 08:35:27 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/authorize?approval_prompt=force&client_id=541a70cb-a7f3-4ec0-82bf-43278e7e79d3&code_challenge=qteDdrs2zi7FSR7MAhjVScIourC0e6DVOLp4k6CYFYM&code_challenge_method=S256&redirect_uri=https%3A%2F%2F10.168.104.100%3A3333%2Foauth2prefix%2Fcallback&response_type=code&scope=openid+email+profile+groups&state=lhYtVxVnMgT1EBkwtvMmjWDHjn1ZiFw8E8DS2qv82wU%3A%2Fprefix%2F for 192.168.188.23:0, 303 See Other in 24.3ms @ web/web.go:139(web.registerRoutes.verifyAuthWithOptions)
2024/04/24 08:35:27 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/login for 192.168.188.23:0, 200 OK in 17.4ms @ auth/auth.go:146(auth.SignIn)
2024/04/24 08:35:37 ...eb/routing/logger.go:102:func1() [I] router: completed POST /user/login for 192.168.188.23:0, 303 See Other in 114.0ms @ auth/auth.go:179(auth.SignInPost)
2024/04/24 08:35:37 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/authorize?approval_prompt=force&client_id=541a70cb-a7f3-4ec0-82bf-43278e7e79d3&code_challenge=qteDdrs2zi7FSR7MAhjVScIourC0e6DVOLp4k6CYFYM&code_challenge_method=S256&redirect_uri=https%3A%2F%2F10.168.104.100%3A3333%2Foauth2prefix%2Fcallback&response_type=code&scope=openid+email+profile+groups&state=lhYtVxVnMgT1EBkwtvMmjWDHjn1ZiFw8E8DS2qv82wU%3A%2Fprefix%2F for 192.168.188.23:0, 303 See Other in 4.4ms @ auth/oauth.go:362(auth.AuthorizeOAuth)
2024/04/24 08:35:37 ...eb/routing/logger.go:102:func1() [I] router: completed POST /login/oauth/access_token for 10.17.55.1:0, 200 OK in 133.6ms @ auth/oauth.go:618(auth.AccessTokenOAuth)
2024/04/24 08:35:37 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/user/emails/user/orgs?page=1&per_page=100 for 10.17.55.1:0, 404 Not Found in 2.5ms @ v1/api.go:732(v1.Routes.verifyAuthWithOptions)
... no other logs, oauth2-proxy show 500 Internal Server Error

Gitea Version

1.21.10

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

run gitea with docker compose

gitea/gitea:1.21.10 as oauth idP
nginx:1.25.4-alpine3.18 as reverse proxy
nginx:1.25.4-alpine3.18 as web target
quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 as base path proxy
quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 as prefix path proxy

Database

SQLite

[wxiaoguang]

Could you provide the detailed steps to reproduce? eg: docker compose files, config files, and operation steps.

[tryagaintsai]

Could you provide the detailed steps to reproduce? eg: docker compose files, config files, and operation steps.

demo.tar.gz

attach file is my env: exclude gitea

my_host_ip: 10.168.104.100 change to your env
on: oauth2-base.cfg, oauth2-prefix.cfg

1. setup gitea, create user & oauth app for client_id, client_secret
   app Redirect URIs.
   https://10.168.104.100:3333/oauth2base/callback
   https://10.168.104.100:3333/oauth2prefix/callback
   docker-compose up -d
   visit: https://10.168.104.100:3334/ to setup gitea
   case 1: ROOT_URL: https://10.168.104.100:3334/
   case 2: ROOT_URL: https://10.168.104.100:3333/gitea/

2. update oauth2-base.cfg, oauth2-prefix.cfg, client_id, client_secret

3. launch up
   docker-compose down; docker-compose up -d
   case 1: visit https://10.168.104.100:3333/base/
   case 2: visit https://10.168.104.100:3333/prefix/

docker logs demo-gitea-1
can get the success and fail logs

[wxiaoguang]

Thank you for the details. I think I could reproduce it now. And I guess the problem is that Gitea isn't GitHub (in the oauth2 config: provider="github")

And oauth2-proxy has different behaviors when there is a prefix, it sends more request as below. If we could mock the responses on nginx side, then there won't be 500 error (but 403 no permission, because oauth2-proxy couldn't collect enough information in this case).

(Gitea doesn't support these GitHub API)

    location /gitea/api/v1/user/emails/user/orgs {
        return 200 '[]';
    }
    location /gitea/api/v1/user/emails/user/teams {
        return 200 '[]';
    }
    location /gitea/api/v1/user/emails/user/emails {
        return 200 '[]';
    }
    location /gitea/api/v1/user/emails/user {
        return 200 '{}';
    }

Screenshot of the new 403:

[tryagaintsai]

but case 1 and case 2 use the same provider="github"
case 1 can pass oauth
case 2 cannot

the different point is
case 1 location on /
case 2 location on /gitea/

if gitea lost user info both of case 1,2 cannot pass

now i switch to provider to odic

add config to nginx.conf
proxy_buffers 4 64k;
proxy_buffer_size 32k;
proxy_busy_buffers_size 128k;

case 1: provider
provider="oidc"
provider_display_name="gitea oidc oauth"
oidc_issuer_url="https://10.168.104.100:3334/"

pass oauth to web

2024/04/25 07:33:03 ...s/graceful/server.go:70:NewServer() [I] Starting new Web server: tcp:0.0.0.0:3000 on PID: 15
2024/04/25 07:33:03 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 9.3ms @ auth/oauth.go:580(auth.OIDCWellKnown)
2024/04/25 07:33:03 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 0.4ms @ auth/oauth.go:580(auth.OIDCWellKnown)
2024/04/25 07:33:04 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 0.4ms @ auth/oauth.go:580(auth.OIDCWellKnown)
2024/04/25 07:33:05 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 0.4ms @ auth/oauth.go:580(auth.OIDCWellKnown)
2024/04/25 07:33:07 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 0.3ms @ auth/oauth.go:580(auth.OIDCWellKnown)
2024/04/25 07:33:11 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 0.5ms @ auth/oauth.go:580(auth.OIDCWellKnown)
2024/04/25 07:33:18 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 0.5ms @ auth/oauth.go:580(auth.OIDCWellKnown)
2024/04/25 07:33:21 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/authorize?approval_prompt=force&client_id=5d596f44-e6c8-42b6-9909-acb799f3455a&code_challenge=uW6OcF-KQLguwZZJAuX1BFC_emdCYZAyDfCuC3gGiwE&code_challenge_method=S256&redirect_uri=https%3A%2F%2F10.168.104.100%3A3333%2Foauth2base%2Fcallback&response_type=code&scope=openid+email+profile+groups&state=MvsH5bi-mcLLzW3wYm1BBnQIjKF0b9G-zEIEejvdpxE%3A%2Fbase%2F for 192.168.188.23:0, 303 See Other in 0.3ms @ web/web.go:139(web.registerRoutes.verifyAuthWithOptions)
2024/04/25 07:33:21 ...eb/routing/logger.go:102:func1() [I] router: completed GET /user/login for 192.168.188.23:0, 200 OK in 12.0ms @ auth/auth.go:146(auth.SignIn)
2024/04/25 07:33:25 ...eb/routing/logger.go:102:func1() [I] router: completed POST /user/login for 192.168.188.23:0, 303 See Other in 117.4ms @ auth/auth.go:179(auth.SignInPost)
2024/04/25 07:33:25 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/authorize?approval_prompt=force&client_id=5d596f44-e6c8-42b6-9909-acb799f3455a&code_challenge=uW6OcF-KQLguwZZJAuX1BFC_emdCYZAyDfCuC3gGiwE&code_challenge_method=S256&redirect_uri=https%3A%2F%2F10.168.104.100%3A3333%2Foauth2base%2Fcallback&response_type=code&scope=openid+email+profile+groups&state=MvsH5bi-mcLLzW3wYm1BBnQIjKF0b9G-zEIEejvdpxE%3A%2Fbase%2F for 192.168.188.23:0, 303 See Other in 4.4ms @ auth/oauth.go:362(auth.AuthorizeOAuth)
2024/04/25 07:33:25 ...eb/routing/logger.go:102:func1() [I] router: completed POST /login/oauth/access_token for 10.17.93.1:0, 200 OK in 155.9ms @ auth/oauth.go:618(auth.AccessTokenOAuth)
2024/04/25 07:33:25 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/keys for 10.17.93.1:0, 200 OK in 0.3ms @ auth/oauth.go:594(auth.OIDCKeys)
2024/04/25 07:33:25 ...eb/routing/logger.go:102:func1() [I] router: completed GET /login/oauth/userinfo for 10.17.93.1:0, 200 OK in 4.2ms @ auth/oauth.go:279(auth.InfoOAuth)
2024/04/25 07:33:31 ...eb/routing/logger.go:102:func1() [I] router: completed GET /.well-known/openid-configuration for 10.17.93.1:0, 200 OK in 0.8ms @ auth/oauth.go:580(auth.OIDCWellKnown)

[tryagaintsai]

case 2: location /gitea/

• update oauth2-proxy config

provider="oidc"
provider_display_name="gitea oidc prefix oauth"
oidc_issuer_url="https://10.168.104.100:3333/gitea/"
whitelist_domains=["10.168.104.100:3333"]
skip_auth_strip_headers="false"

• update nginx.conf

proxy_buffers 4 64k;
proxy_buffer_size 32k;
proxy_busy_buffers_size 128k;

oauth oidc provider worked

but even i use this config and change to provider="github"

it cannot pass, maybe Authorization header disappear somewhere
2024/04/25 09:02:22 ...eb/routing/logger.go:102:func1() [I] router: completed GET /api/v1/user/emails/user/orgs?page=1&per_page=100 for 10.17.119.1:0, 404 Not Found in 4.2ms @ v1/api.go:732(v1.Routes.verifyAuthWithOptions)

[wxiaoguang]

but case 1 and case 2 use the same provider="github"
case 1 can pass oauth
case 2 cannot

See my comment above: And oauth2-proxy has different behaviors when there is a prefix (I don't know why)