Make OAuth2 issuer configurable (#35915)

The new (correct) behavior breaks the old (incorrect) logins. Add a config option to support legacy "issuer". Fix #35830
2025-12-07 13:28:25 +00:00 · 2025-11-10 23:45:01 +08:00
parent 1c8c56503f
commit e31f224ad2
4 changed files with 35 additions and 13 deletions
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -567,6 +567,11 @@ ENABLED = true
 ;; Alternative location to specify OAuth2 authentication secret. You cannot specify both this and JWT_SECRET, and must pick one
 ;JWT_SECRET_URI = file:/etc/gitea/oauth2_jwt_secret
 ;;
+;; The "issuer" claim identifies the principal that issued the JWT.
+;; Gitea 1.25 makes it default to "ROOT_URL without the last slash" to follow the standard.
+;; If you have old logins from before 1.25, you may want to set it to the old (non-standard) value "ROOT_URL with the last slash".
+;JWT_CLAIM_ISSUER =
+;;
 ;; Lifetime of an OAuth2 access token in seconds
 ;ACCESS_TOKEN_EXPIRATION_TIME = 3600
 ;;