Setting up Gitea authentication against Azure AD

Here’s how we can setup authentication for Gitea using Azure AD. Gitea does not have Azure AD as an out of the box option but it’s easy to setup as Azure AD uses OpenID Connect and Gitea supports that as an authentication provider.

Note: OpenID connect builds upon OAuth 2.0 so the latter is what it appears as when users try to authenticate with Gitea.

Login to Azure AD > App registrations > New registration.

Give a name (doesn’t matter) and specify the Redirect URI. To get that open a new browser tab/ window and login to Gitea. Go to the Site Administration section and click on “Add Authentication Source”. Change the Authentication Type to “OAuth2” and OAuth2 Provider to “OpenID Connect”. Give a name under Authentication name. You’ll see under the tips section that:

When registering a new OAuth2 authentication, the callback/redirect URL should be: <host>/user/oauth2/<Authentication Name>/callback.

Thus we know what to fill in the Redirect URI on the Azure AD side. We construct the URL based on the Gitea site name and Authentication name. Example: Go back to Azure AD, fill this in and click Register.

Back in Azure AD, once we click Register and are taken to the application registration, go to Certificates & secrets and create a new Client Secret. Choose an expiry date if needed, and then copy the Value once its show. (This will disappear in a bit so note it someplace safe).

Go back to the Gitea page we were on and paste the Client Secret created above into the Client Secret field. We need to enter the Client ID too, for this go back to Azure AD and click the Overview section of the application registration. Copy the Application ID from there and paste into Gitea.

Last step is the Discovery URL. From the official Azure AD OpenID Connect docs we can see the Discovery URL is of the format<tenant>/v2.0/.well-known/openid-configuration. We can see the Tenant ID in the Overview page right next to the Application ID, so copy paste that into the placeholder in the URL above and paste the end result into Gitea. Then click Add.

And that’s about it!

At this point it’s worth noting a few settings I changed in the Gitea config file.

Under the [openid] section I have the following:

The first of these was already false for me. If I turn this to true it gives an additional OpenID section on the login page where I can enter the URL of an OpenID provider. I don’t want that so I left this to false. The second of these allows me to signup/ register for an account via OpenID. It was already true so I left it so. And the third restricts OpenID to Azure AD – this was the only setting I really changed.

I am not sure if I can disable sign up via OpenID and manually associate accounts.

Additionally, under the [service] section I have the following:

The first of these allows user registration, while the second limits registration to via external services only (OpenID in my case as I allowed it earlier), and the third of these removes the “Sign Up” button from the Gitea website so no one can register manually.

The reason for these is that when a user signs up via Azure AD they then need to make an acccount on Gitea. This Gitea account doesn’t have a password and can’t be used to login directly, but this is what links the Azure AD signin to a Gitea account. So we need to allow registration.