Open
Description
Description
I configuered openID-connect against authelia, based on this guide.
When I disable require_pkce: in the authelia config, everything is working as expected. So, the basic communication between authelia and gitea is working.
The following error is received in gitea:
There was an error processing the authorization request: The request is missing a required
parameter, includes an invalid parameter value, includes a parameter more than once, or is
otherwise malformed. Clients must include a 'code_challenge' when performing the authorize code
flow, but it is missing.
The corresponding error information form authelia:
authelia | time="2025-06-17T10:53:13Z" level=error msg="Authorization Response for Request
with id 'a7f93478-5aab-4458-bd6c-c55e7da53b3b' on client with id 'ID' using policy 'two_factor'
could not be created: The request is missing a required parameter, includes an invalid parameter
value, includes a parameter more than once, or is otherwise malformed. Clients must include a
'code_challenge' when performing the authorize code flow, but it is missing. The client with id 'ID'
is registered in a way that enforces PKCE." method=GET path=/api/oidc/authorization
remote_ip=****
The used authelia conf:
- client_id: 'randomKey'
client_name: 'Gitea'
client_secret: 'hashOfRanodmKey'
public: false
authorization_policy: 'two_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://host.tld/user/oauth2/authelia/callback'
scopes:
- 'openid'
- 'email'
- 'profile'
- 'groups'
response_types:
- 'code'
grant_types:
- 'authorization_code'
- 'refresh_token'
response_modes:
- 'form_post'
- 'query'
- 'fragment'
access_token_signed_response_alg: 'none'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
I made a few adjustments to the app.ini trying to fix the problem:
[oauth2]
ENABLED = true
JWT_SIGNING_ALGORITHM = RS256
JWT_SECRET = JXiYxaIvfaevO9z-z6J2GD3yq5X7ZtjJ0YzLZYM7pc8
[oauth2_client]
ENABLE_AUTO_REGISTRATION = true
ACCOUNT_LINKING = login
UPDATE_AVATAR = false
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true
WHITELISTED_URIS = auth.XXX.tldI've tested this with gitea version: 1.23.8 and 1.24.0
Gitea Version
1.24.0
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
Git Version
No response
Operating System
No response
How are you running Gitea?
I run gitea in a docker environment.
services:
server:
image: docker.io/gitea/gitea:1.24
container_name: gitea
environment:
- USER_UID=1000
- USER_GID=1000
- GITEA__database__DB_TYPE=postgres
- GITEA__database__HOST=db:5432
- GITEA__database__NAME=gitea
- GITEA__database__USER=gitea
- GITEA__database__PASSWD=${DBPASS}
restart: always
networks:
- gitea
volumes:
- ./gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "3000:3000"
- "222:22"
depends_on:
- db
Database
PostgreSQL