Skip to content

feat(oauth): Support AWS Cognito OAuth2 provider#37607

Merged
bircni merged 10 commits into
go-gitea:mainfrom
thatguyfig:cognito-sso-support
May 16, 2026
Merged

feat(oauth): Support AWS Cognito OAuth2 provider#37607
bircni merged 10 commits into
go-gitea:mainfrom
thatguyfig:cognito-sso-support

Conversation

@thatguyfig
Copy link
Copy Markdown
Contributor

@thatguyfig thatguyfig commented May 8, 2026

Using the standard OpenID Connect OAuth2 provider type doesn't work well for AWS Cognito. Most of the functionality works absolutely fine, however the query parameter post_logout_redirect_uri is not understood by Cognito and results in a bad experience when logging out.

To combat this i've added a new AWS Cognito provider which is almost identical to the Open ID Connect type except it overrides the query parameter to logout_uri which is what Cognito expects.
image

This then results in a nice experience logging out with no errors seen - even though the logout does succeed. Why AWS thought they would deviate from the OAuth spec in this particular area is beyond me...

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label May 8, 2026
@thatguyfig thatguyfig changed the title feat(oauth): Added support for AWS Cognito OAuth2 provider feat(oauth): Support for AWS Cognito OAuth2 provider May 8, 2026
@thatguyfig thatguyfig changed the title feat(oauth): Support for AWS Cognito OAuth2 provider feat(oauth): Support AWS Cognito OAuth2 provider May 8, 2026
wxiaoguang
wxiaoguang previously approved these changes May 10, 2026
View reviewed changes
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels May 10, 2026
@thatguyfig
Copy link
Copy Markdown
Contributor Author

thatguyfig commented May 10, 2026

On second look, I think a better approach would be to setup a Goth provider much like the other custom oauth implementations rather than overriding. I'll update to follow the pattern already implemented

@wxiaoguang wxiaoguang dismissed their stale review May 10, 2026 14:35

wait for more improvements

@GiteaBot GiteaBot added lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels May 10, 2026
@thatguyfig
Copy link
Copy Markdown
Contributor Author

thatguyfig commented May 11, 2026

In the end it wasn't that simple to do, instead i've moved the cognito provider registration into same file as the custom providers. The approach is still largely the same as before.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels May 11, 2026
@wxiaoguang wxiaoguang added this to the 1.27.0 milestone May 15, 2026
@wxiaoguang wxiaoguang requested a review from a team May 16, 2026 09:24
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels May 16, 2026
@bircni bircni added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label May 16, 2026
@bircni bircni enabled auto-merge (squash) May 16, 2026 09:30
@bircni bircni merged commit 96e0dc1 into go-gitea:main May 16, 2026
21 checks passed
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label May 16, 2026
@thatguyfig
Copy link
Copy Markdown
Contributor Author

thatguyfig commented May 16, 2026

Nice one cheers!

silverwind added a commit to silverwind/gitea that referenced this pull request May 18, 2026
@silverwind
Merge remote-tracking branch 'origin/main' into ci-cache-improvements
751acd4 
* origin/main: (39 commits)
  fix: Add missed token scope checking (go-gitea#37735)
  chore: Use giteabot instead of backporter (go-gitea#37422)
  fix: Allow direct commits for unprotected files with push restrictions (go-gitea#37657)
  chore: Conventional adjustments (go-gitea#37677)
  chore(db): introduce db.Session and db.EngineMigration interfaces (go-gitea#37746)
  fix(migrations): preserve unique constraints in v334 sync (go-gitea#37743)
  feat(web): also display PR counts in repo list (go-gitea#37739)
  feat: execute post run cleanup when workflow is cancelled (go-gitea#37275)
  fix(actions): wrong assumption that run id always >= job id (go-gitea#37737)
  fix(icon): use repo-forked icon to display forks count (go-gitea#37731)
  fix(oauth): strengthen PKCE validation and refresh token replay protection (go-gitea#37706)
  fix(web): enforce token scopes on raw, media, and attachment downloads (go-gitea#37698)
  feat: Add bypass allowlist for branch protection (go-gitea#36514)
  refactor(glob): use strings.Builder for regexp compilation (go-gitea#37730)
  feat(oauth): Support AWS Cognito OAuth2 provider (go-gitea#37607)
  feat: Add default PR branch update style setting (go-gitea#37410)
  refactor: move `workflowpattern` into `modules/actions` (go-gitea#37717)
  ci: add `zizmor` to `lint-actions` (go-gitea#37720)
  chore(doctor): remove four obsolete doctor check implementations (go-gitea#37728)
  chore(renovate): enable dockerfile manager (go-gitea#37719)
  ...

# Conflicts:
#	modules/globallock/locker_test.go
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wxiaoguang wxiaoguang wxiaoguang approved these changes

@bircni bircni bircni approved these changes

Assignees

No one assigned

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore.

Projects

None yet

Milestone

1.27.0

Development

Successfully merging this pull request may close these issues.

4 participants

@thatguyfig @wxiaoguang @bircni @GiteaBot