Codeberg/Community
54
325
Fork
You've already forked Community
12

Undocumented OIDC/OAuth breaking change in Forgejo v12.0 #2053

Closed
opened 2025年07月27日 13:37:29 +02:00 by jlh · 2 comments

Comment

Hi, thanks for the great codeforge.

Unfortunately, Forgejo v12 breaks all existing OAuth clients due to a breaking change in the issuer string:

PR: remove the trailing slash from the issuer in OAuth claims. If the Forgejo instance is used as an OAuth2 provider, all OIDC clients must ensure they read the updated configuration. For instance, if the OAuth2 client is a Forgejo instance, the already configured authentication source must be updated from the /admin/auths web page. Nothing needs to be modified, it is enough to click on the Update authentication source button.

https://codeberg.org/forgejo/forgejo/milestone/12836

This change is not documented in the Forgejo v12 blog or Codeberg social media.

I am a bit frustrated, as I have been locked out of my Kubernetes cluster while I was on vacation due to multiple of my OIDC clients breaking. Example of kube-login OIDC being broken:

error: get-token: authentication error: oidc error: oidc discovery error: oidc: issuer did not match the issuer returned by provider, expected "https://codeberg.org/" got "https://codeberg.org"

While I do not check the Codeberg Mastodon often, I would have liked to see some notice about this. I think that this is something that should be included in the main changelog, as I believe it affects all users of Codeberg OAuth.

In any case, thank you for the great codeforge and I appreciate the new features being worked on.

### Comment Hi, thanks for the great codeforge. Unfortunately, Forgejo v12 breaks all existing OAuth clients due to a breaking change in the issuer string: > PR: remove the trailing slash from the issuer in OAuth claims. If the Forgejo instance is used as an OAuth2 provider, all OIDC clients must ensure they read the updated configuration. For instance, if the OAuth2 client is a Forgejo instance, the already configured authentication source must be updated from the /admin/auths web page. Nothing needs to be modified, it is enough to click on the Update authentication source button. https://codeberg.org/forgejo/forgejo/milestone/12836 This change is not documented in the Forgejo v12 blog or Codeberg social media. I am a bit frustrated, as I have been locked out of my Kubernetes cluster while I was on vacation due to multiple of my OIDC clients breaking. Example of kube-login OIDC being broken: ``` error: get-token: authentication error: oidc error: oidc discovery error: oidc: issuer did not match the issuer returned by provider, expected "https://codeberg.org/" got "https://codeberg.org" ``` While I do not check the Codeberg Mastodon often, I would have liked to see some notice about this. I think that this is something that should be included in the main changelog, as I believe it affects all users of Codeberg OAuth. In any case, thank you for the great codeforge and I appreciate the new features being worked on.
Owner
Copy link

Please add your case to forgejo/forgejo#8634.

Please add your case to https://codeberg.org/forgejo/forgejo/issues/8634.
Owner
Copy link

(For the record, the Forgejo release blog posts introduce releases to users, they are no replacement for the changelog, which is linked from the blog post. The regression only became known after the blog post was published. The changelog was updated accordingly.

Codeberg immediately reverted the breaking changes for Oauth2 clients. However, since OIDC clients should auto-refresh the metadata and it was confirmed to work with Forgejo, no further action was considered necessary. Reverting this change is tricky, because it would break the clients that have updated again.

I understand that more social media presence might have been useful to you. https://social.anoxinon.de/@Codeberg/114901902682414788 declares the status page for the canonical source of information, which also references the Forgejo issue I shared above.

I appreciate a hint on where you might have looked for more information and which channels we should update, that are read by sysadmins interacting with Codeberg, without annoying regular users.)

(For the record, the Forgejo release blog posts introduce releases to users, they are no replacement for the changelog, which is linked from the blog post. The regression only became known after the blog post was published. The changelog was updated accordingly. Codeberg immediately reverted the breaking changes for Oauth2 clients. However, since OIDC clients should auto-refresh the metadata and it was confirmed to work with Forgejo, no further action was considered necessary. Reverting this change is tricky, because it would break the clients that have updated *again*. I understand that more social media presence might have been useful to you. https://social.anoxinon.de/@Codeberg/114901902682414788 declares the status page for the canonical source of information, which also references the Forgejo issue I shared above. I appreciate a hint on where you might have looked for more information and which channels we should update, that are read by sysadmins interacting with Codeberg, without annoying regular users.)
Sign in to join this conversation.
No Branch/Tag specified
main
No results found.
Labels
Clear labels
accessibility

Reduces accessibility and is thus a "bug" for certain user groups on Codeberg.
bug

Something is not working the way it should. Does not concern outages.
bug
infrastructure
Errors evidently caused by infrastructure malfunctions or outages
Codeberg

This issue involves Codeberg's downstream modifications and settings and/or Codeberg's structures.
contributions welcome

Please join the discussion and consider contributing a PR!
docs

No bug, but an improvement to the docs or UI description will help
duplicate

This issue or pull request already exists
enhancement

New feature
infrastructure

Involves changes to the server setups, use `bug/infrastructure` for infrastructure-related user errors.
legal

An issue directly involving legal compliance
licence / ToS

involving questions about the ToS, especially licencing compliance
please chill
we are volunteers
Please consider editing your posts and remember that there is a human on the other side. We get that you are frustrated, but it's harder for us to help you this way.
public relations

Things related to Codeberg's external communication
question

More information is needed
question
user support
This issue contains a clearly stated problem. However, it is not clear whether we have to fix anything on Codeberg's end, but we're helping them fix it and/or find the cause.
s/Forgejo

Related to Forgejo. Please also check Forgejo's issue tracker.
s/Forgejo/migration

Migration related issues in Forgejo
s/Pages

Issues related to the Codeberg Pages feature
s/Weblate

Issue is related to the Weblate instance at https://translate.codeberg.org
s/Woodpecker

Woodpecker CI related issue
security

involves improvements to the sites security
service

Add a new service to the Codeberg ecosystem (instead of implementing into Gitea)
upstream

An open issue or pull request to an upstream repository to fix this issue (partially or completely) exists (i.e. Gitea, Forgejo, etc.)
wontfix

Codeberg's current set of contributors are not planning to spend time on delegating this issue.
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Codeberg/Community#2053
Reference in a new issue
Codeberg/Community
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?