From ef530b7d3822f992efa7718199719063adf71689 Mon Sep 17 00:00:00 2001 From: viktor Date: Fri, 19 Jun 2026 17:24:29 +0000 Subject: [PATCH] =?UTF-8?q?forgejo:=20drop=20ENABLE=5FAUTO=5FREGISTRATION?= =?UTF-8?q?=20=E2=80=94=20it=20broke=20Authentik=20sign-in?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ENABLE_AUTO_REGISTRATION is a global [oauth2_client] setting (all OAuth sources). On Authentik sign-in, Forgejo auto-created an account and derived the username from Authentik's preferred_username claim — which is the user's email (vbarzin@gmail.com), invalid as a Forgejo username (no '@') → CreateUser failed → 500 on the OAuth callback. (GitHub's username claim is valid, so only Authentik broke.) Reverting to the standard link/register flow fixes both; GitHub sign-up still works via a one-step register form. Committed via API to touch only main.tf (forgejo-only CI apply) so it doesn't collide with concurrent crowdsec work. Co-Authored-By: Claude Opus 4.8 --- stacks/forgejo/main.tf | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/stacks/forgejo/main.tf b/stacks/forgejo/main.tf index 5e846bd6..0abb1847 100644 --- a/stacks/forgejo/main.tf +++ b/stacks/forgejo/main.tf @@ -280,19 +280,6 @@ resource "kubernetes_deployment" "forgejo" { } } } - # Auto-create a local account on first GitHub (OAuth2) sign-in, so - # "Sign in with GitHub" is a real sign-up path rather than a - # link-to-existing detour. The GitHub identity is the trust gate for - # this OAuth path (the Turnstile captcha + email confirmation apply to - # the native form, not OAuth). The GitHub OAuth2 source itself is added - # out-of-band via `forgejo admin auth add-oauth` (it lives in Forgejo's - # DB, not Terraform — same as the Authentik source); credentials are in - # Vault secret/viktor (forgejo_github_oauth_client_id / _secret). See - # docs/runbooks/forgejo-open-signups.md. - env { - name = "FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION" - value = "true" - } volume_mount { name = "data" mount_path = "/data"