From a2d88cd5978308624a564f1db0761c300a055ba5 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Sat, 23 Aug 2025 16:39:05 -0400 Subject: [PATCH] Remove deprecated auth sources (#35272) Entra ID users should use the OIDC oauth2 provider. They will still be shown if the instance has a previous Azure AD source configured. --------- Co-authored-by: Lunny Xiao --- routers/web/admin/auths.go | 8 +++-- services/auth/source/oauth2/providers.go | 39 ++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 3 deletions(-) diff --git a/routers/web/admin/auths.go b/routers/web/admin/auths.go index 56c384b970..60ca7f0048 100644 --- a/routers/web/admin/auths.go +++ b/routers/web/admin/auths.go @@ -97,7 +97,7 @@ func NewAuthSource(ctx *context.Context) { ctx.Data["AuthSources"] = authSources ctx.Data["SecurityProtocols"] = securityProtocols ctx.Data["SMTPAuths"] = smtp.Authenticators - oauth2providers := oauth2.GetSupportedOAuth2Providers() + oauth2providers := oauth2.GetSupportedOAuth2ProvidersWithContext(ctx) ctx.Data["OAuth2Providers"] = oauth2providers ctx.Data["SSPIAutoCreateUsers"] = true @@ -107,7 +107,9 @@ func NewAuthSource(ctx *context.Context) { ctx.Data["SSPIDefaultLanguage"] = "" // only the first as default - ctx.Data["oauth2_provider"] = oauth2providers[0].Name() + if len(oauth2providers) > 0 { + ctx.Data["oauth2_provider"] = oauth2providers[0].Name() + } ctx.HTML(http.StatusOK, tplAuthNew) } @@ -240,7 +242,7 @@ func NewAuthSourcePost(ctx *context.Context) { ctx.Data["AuthSources"] = authSources ctx.Data["SecurityProtocols"] = securityProtocols ctx.Data["SMTPAuths"] = smtp.Authenticators - oauth2providers := oauth2.GetSupportedOAuth2Providers() + oauth2providers := oauth2.GetSupportedOAuth2ProvidersWithContext(ctx) ctx.Data["OAuth2Providers"] = oauth2providers ctx.Data["SSPIAutoCreateUsers"] = true diff --git a/services/auth/source/oauth2/providers.go b/services/auth/source/oauth2/providers.go index 75ed41ba66..c97b8c8e1c 100644 --- a/services/auth/source/oauth2/providers.go +++ b/services/auth/source/oauth2/providers.go @@ -10,6 +10,7 @@ import ( "html" "html/template" "net/url" + "slices" "sort" "code.gitea.io/gitea/models/auth" @@ -75,6 +76,10 @@ func (p *AuthSourceProvider) IconHTML(size int) template.HTML { // value is used to store display data var gothProviders = map[string]GothProvider{} +func isAzureProvider(name string) bool { + return name == "azuread" || name == "microsoftonline" || name == "azureadv2" +} + // RegisterGothProvider registers a GothProvider func RegisterGothProvider(provider GothProvider) { if _, has := gothProviders[provider.Name()]; has { @@ -83,13 +88,47 @@ func RegisterGothProvider(provider GothProvider) { gothProviders[provider.Name()] = provider } +// getExistingAzureADAuthSources returns a list of Azure AD provider names that are already configured +func getExistingAzureADAuthSources(ctx context.Context) ([]string, error) { + authSources, err := db.Find[auth.Source](ctx, auth.FindSourcesOptions{ + LoginType: auth.OAuth2, + }) + if err != nil { + return nil, err + } + + var existingAzureProviders []string + for _, source := range authSources { + if oauth2Cfg, ok := source.Cfg.(*Source); ok { + if isAzureProvider(oauth2Cfg.Provider) { + existingAzureProviders = append(existingAzureProviders, oauth2Cfg.Provider) + } + } + } + return existingAzureProviders, nil +} + // GetSupportedOAuth2Providers returns the map of unconfigured OAuth2 providers // key is used as technical name (like in the callbackURL) // values to display +// Note: Azure AD providers (azuread, microsoftonline, azureadv2) are filtered out +// unless they already exist in the system to encourage use of OpenID Connect func GetSupportedOAuth2Providers() []Provider { + return GetSupportedOAuth2ProvidersWithContext(context.Background()) +} + +// GetSupportedOAuth2ProvidersWithContext returns the list of supported OAuth2 providers with context for filtering +func GetSupportedOAuth2ProvidersWithContext(ctx context.Context) []Provider { providers := make([]Provider, 0, len(gothProviders)) + existingAzureSources, err := getExistingAzureADAuthSources(ctx) + if err != nil { + log.Error("Failed to get existing OAuth2 auth sources: %v", err) + } for _, provider := range gothProviders { + if isAzureProvider(provider.Name()) && !slices.Contains(existingAzureSources, provider.Name()) { + continue + } providers = append(providers, provider) } sort.Slice(providers, func(i, j int) bool {