3
14
Fork
You've already forked yojo
5

Unable to login with Codeberg #32

Closed
opened 2026年06月02日 20:23:25 +02:00 by thomasadam · 5 comments
Contributor
Copy link

Hi there,

When trying to use yojo (whether via the public instance, or self-hosted), logging into Codeberg is not working, with the error:

Gitea auth error: oauth2: unauthorized client: redirect_uri does not match the authorization

This happens every time I try and login to Codeberg. I also tried using the self-hosted option. Same issue.

Note that I see the oauth token created in Codeberg...

I suspect this must be a recent issue -- yet. I'd love to hear from anyone with a solution.

Hi there, When trying to use `yojo` (whether via the public instance, or self-hosted), logging into Codeberg is not working, with the error: ``` Gitea auth error: oauth2: unauthorized client: redirect_uri does not match the authorization ``` This happens every time I try and login to Codeberg. I also tried using the self-hosted option. Same issue. Note that I see the oauth token created in Codeberg... I suspect this must be a recent issue -- yet. I'd love to hear from anyone with a solution.

Sounds like a Forgejo bug. yojo does not supply the redirect_uri parameter.

Sounds like a Forgejo bug. yojo does not supply the `redirect_uri` parameter.
Author
Contributor
Copy link

Hi @emersion

Thanks for the response. I'm happy to chat to Codeberg about this. What would you suggest?

Hi @emersion Thanks for the response. I'm happy to chat to Codeberg about this. What would you suggest?

RFC 6749 section 3.1.2.3 states that the client MUST supply the redirect_uri parameter in some cases. but none of these cases apply to yojo.

See also the yojo OAuth configuration on the Codeberg side:

out

[RFC 6749 section 3.1.2.3](https://www.rfc-editor.org/info/rfc6749/#section-3.1.2.3) states that the client MUST supply the `redirect_uri` parameter in some cases. but none of these cases apply to yojo. See also the yojo OAuth configuration on the Codeberg side: ![out](/attachments/e8eed5ac-99c5-4218-9150-bc7bfff573cd)
49 KiB
Author
Contributor
Copy link

So I looked into his a bit more, and believe it to be a Yojo bug.

Codeberg checks that the redirect_uri supplied during the token exchange exactly matches the one used during authorization. What Yojo seemed to be doing was using a dynamic RedirectURI for the authorization request, but then uses the original config during the token exchange.

The diff below fixes this. I'm happy to turn it into a PR if you're happy with the approach:

diff --git a/main.go b/main.go
index a65dc16..c5dc876 100644
--- a/main.go
+++ b/main.go
@@ -391,8 +391,14 @@ func main() {
 } else {
 endpoint = config.Gitea.Endpoint
+ // Match the redirect URI set in redirectAuth. Forgejo/Gitea checks
+ // that the token exchange uses the same redirect URI as the
+ // authorization request.
+ auth := *giteaAuth
+ auth.RedirectURI = getOrigin(r) + "/authorize-gitea"
+
 var err error
- tokenResp, err = authorizeOAuth2(giteaAuth, r)
+ tokenResp, err = authorizeOAuth2(&auth, r)
 if err != nil {
 http.Error(w, fmt.Sprintf("Gitea auth error: %v", err), http.StatusBadRequest)
 return
So I looked into his a bit more, and believe it to be a Yojo bug. Codeberg checks that the redirect_uri supplied during the token exchange exactly matches the one used during authorization. What Yojo seemed to be doing was using a dynamic RedirectURI for the authorization request, but then uses the original config during the token exchange. The diff below fixes this. I'm happy to turn it into a PR if you're happy with the approach: ``` diff --git a/main.go b/main.go index a65dc16..c5dc876 100644 --- a/main.go +++ b/main.go @@ -391,8 +391,14 @@ func main() { } else { endpoint = config.Gitea.Endpoint + // Match the redirect URI set in redirectAuth. Forgejo/Gitea checks + // that the token exchange uses the same redirect URI as the + // authorization request. + auth := *giteaAuth + auth.RedirectURI = getOrigin(r) + "/authorize-gitea" + var err error - tokenResp, err = authorizeOAuth2(giteaAuth, r) + tokenResp, err = authorizeOAuth2(&auth, r) if err != nil { http.Error(w, fmt.Sprintf("Gitea auth error: %v", err), http.StatusBadRequest) return ```

Sounds good to me.

Sounds good to me.
Sign in to join this conversation.
No Branch/Tag specified
master
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
emersion/yojo#32
Reference in a new issue
emersion/yojo
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?