forgejo: drop ENABLE_AUTO_REGISTRATION — it broke Authentik sign-in
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
ENABLE_AUTO_REGISTRATION is a global [oauth2_client] setting (all OAuth sources). On Authentik sign-in, Forgejo auto-created an account and derived the username from Authentik's preferred_username claim — which is the user's email (vbarzin@gmail.com), invalid as a Forgejo username (no '@') → CreateUser failed → 500 on the OAuth callback. (GitHub's username claim is valid, so only Authentik broke.) Reverting to the standard link/register flow fixes both; GitHub sign-up still works via a one-step register form. Committed via API to touch only main.tf (forgejo-only CI apply) so it doesn't collide with concurrent crowdsec work. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
parent
a5bb4db9c5
commit
ef530b7d38
1 changed files with 0 additions and 13 deletions
|
|
@ -280,19 +280,6 @@ resource "kubernetes_deployment" "forgejo" {
|
|||
}
|
||||
}
|
||||
}
|
||||
# Auto-create a local account on first GitHub (OAuth2) sign-in, so
|
||||
# "Sign in with GitHub" is a real sign-up path rather than a
|
||||
# link-to-existing detour. The GitHub identity is the trust gate for
|
||||
# this OAuth path (the Turnstile captcha + email confirmation apply to
|
||||
# the native form, not OAuth). The GitHub OAuth2 source itself is added
|
||||
# out-of-band via `forgejo admin auth add-oauth` (it lives in Forgejo's
|
||||
# DB, not Terraform — same as the Authentik source); credentials are in
|
||||
# Vault secret/viktor (forgejo_github_oauth_client_id / _secret). See
|
||||
# docs/runbooks/forgejo-open-signups.md.
|
||||
env {
|
||||
name = "FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION"
|
||||
value = "true"
|
||||
}
|
||||
volume_mount {
|
||||
name = "data"
|
||||
mount_path = "/data"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue