Added displaying banner for admin user in case of failure during required additional information retrieval

modules/google/groups.go

@@ -68,7 +68,7 @@ func (c *Client) FetchGroups(ctx context.Context, email string) ([]string, error
 	groups := make([]string, 0, 16)
 	pageToken := ""
 
-	for range maxGroupPages {
+	for range make([]struct{}, maxGroupPages) {
 		params := url.Values{}
 		params.Set("query", fmt.Sprintf("member_key_id=='%s'", email))
 		if pageToken != "" {

options/locale/locale_en-US.json

@@ -429,6 +429,8 @@
   "auth.oauth.signin.error.general": "There was an error processing the authorization request: %s. If this error persists, please contact the site administrator.",
   "auth.oauth.signin.error.access_denied": "The authorization request was denied.",
   "auth.oauth.signin.error.temporarily_unavailable": "Authorization failed because the authentication server is temporarily unavailable. Please try again later.",
+  "auth.oauth.required_additional_info_fetch_failed_banner.title": "OAuth2 additional information synchronization warning",
+  "auth.oauth.required_additional_info_fetch_failed_banner.desc": "Gitea recently failed to retrieve required additional information from authentication source \"%s\" (last failure: %s). Users may keep their previously synchronized admin/restricted/team state until retrieval succeeds again. Check logs for details.",
   "auth.oauth_callback_unable_auto_reg": "Auto Registration is enabled, but OAuth2 Provider %[1]s returned missing fields: %[2]s, unable to create an account automatically. Please create or link to an account, or contact the site administrator.",
   "auth.openid_connect_submit": "Connect",
   "auth.openid_connect_title": "Connect to an existing account",

routers/common/pagetmpl.go

@@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/models/db"
 	issues_model "code.gitea.io/gitea/models/issues"
 	"code.gitea.io/gitea/modules/log"
+	oauth2_source "code.gitea.io/gitea/services/auth/source/oauth2"
 	"code.gitea.io/gitea/services/context"
 )
 
@@ -69,8 +70,16 @@ type pageGlobalDataType struct {
 	IsSigned    bool
 	IsSiteAdmin bool
 
-	GetNotificationUnreadCount func() int64
-	GetActiveStopwatch         func() *StopwatchTmplInfo
+	GetNotificationUnreadCount              func() int64
+	GetActiveStopwatch                      func() *StopwatchTmplInfo
+	GetRequiredAdditionalInfoFailureWarning func() *oauth2_source.RequiredAdditionalInfoFailureWarning
+}
+
+func oauth2RequiredAdditionalInfoFailureWarning(ctx *context.Context) *oauth2_source.RequiredAdditionalInfoFailureWarning {
+	if ctx.Doer == nil || !ctx.Doer.IsAdmin {
+		return nil
+	}
+	return oauth2_source.GetRequiredAdditionalInfoFailureWarning(ctx.Cache)
 }
 
 func PageGlobalData(ctx *context.Context) {
@@ -79,5 +88,8 @@ func PageGlobalData(ctx *context.Context) {
 	data.IsSiteAdmin = ctx.Doer != nil && ctx.Doer.IsAdmin
 	data.GetNotificationUnreadCount = sync.OnceValue(func() int64 { return notificationUnreadCount(ctx) })
 	data.GetActiveStopwatch = sync.OnceValue(func() *StopwatchTmplInfo { return getActiveStopwatch(ctx) })
+	data.GetRequiredAdditionalInfoFailureWarning = sync.OnceValue(func() *oauth2_source.RequiredAdditionalInfoFailureWarning {
+		return oauth2RequiredAdditionalInfoFailureWarning(ctx)
+	})
 	ctx.Data["PageGlobalData"] = data
 }

routers/common/pagetmpl_test.go

@@ -0,0 +1,41 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"testing"
+	"time"
+
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/cache"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/timeutil"
+	oauth2_source "code.gitea.io/gitea/services/auth/source/oauth2"
+	"code.gitea.io/gitea/services/context"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestOAuth2RequiredAdditionalInfoFailureWarning_AdminOnlyVisibility(t *testing.T) {
+	c, err := cache.NewStringCache(setting.Cache{Adapter: "memory", Interval: 1})
+	require.NoError(t, err)
+
+	defer timeutil.MockSet(time.Unix(1_700_000_000, 0))()
+	oauth2_source.SetRequiredAdditionalInfoFetchFailureWarning(c, "Google Workspace")
+
+	adminCtx := &context.Context{
+		Doer:  &user_model.User{IsAdmin: true},
+		Cache: c,
+	}
+	nonAdminCtx := &context.Context{
+		Doer:  &user_model.User{IsAdmin: false},
+		Cache: c,
+	}
+
+	adminWarning := oauth2RequiredAdditionalInfoFailureWarning(adminCtx)
+	require.NotNil(t, adminWarning)
+	assert.Equal(t, "Google Workspace", adminWarning.SourceName)
+	assert.Nil(t, oauth2RequiredAdditionalInfoFailureWarning(nonAdminCtx))
+}

routers/web/auth/oauth.go

@@ -490,12 +490,18 @@ func oAuth2UserLoginCallback(ctx *context.Context, authSource *auth.Source, requ
 		if err != nil {
 			log.Warn("OAuth2: failed to fetch additional info for %s: %v", gothUser.Email, err)
 			if provider.FailLoginOnAdditionalInfoError() {
+				sourceName := authSource.Name
+				if sourceName == "" {
+					sourceName = fmt.Sprintf("source #%d", authSource.ID)
+				}
+				oauth2.SetRequiredAdditionalInfoFetchFailureWarning(ctx.Cache, sourceName)
 				// Fail closed only when login directly depends on the group claim
 				// (for example RequiredClaimName == GroupClaimName). Other
 				// group-based sync features are fail-open and preserve prior state.
 				return nil, goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID}
 			}
 		} else {
+			oauth2.ClearRequiredAdditionalInfoFetchFailureWarning(ctx.Cache)
 			gothUser = enriched
 		}
 	}

services/auth/source/oauth2/additional_info_provider_test.go

@@ -5,8 +5,14 @@ package oauth2
 
 import (
 	"testing"
+	"time"
+
+	"code.gitea.io/gitea/modules/cache"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/timeutil"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestIsGoogleGroupClaimRequiredForLoginFlow(t *testing.T) {
@@ -60,3 +66,45 @@ func TestIsGoogleGroupClaimRequiredForLoginFlow(t *testing.T) {
 		assert.False(t, isGoogleGroupClaimRequiredForLoginFlow(source))
 	})
 }
+
+func TestRequiredAdditionalInfoFailureWarningLifecycle(t *testing.T) {
+	c, err := cache.NewStringCache(setting.Cache{Adapter: "memory", Interval: 1})
+	require.NoError(t, err)
+
+	mockNow := time.Unix(1_700_000_000, 0)
+	defer timeutil.MockSet(mockNow)()
+	SetRequiredAdditionalInfoFetchFailureWarning(c, "Google Workspace")
+
+	warning := GetRequiredAdditionalInfoFailureWarning(c)
+	require.NotNil(t, warning)
+	assert.Equal(t, "Google Workspace", warning.SourceName)
+	assert.Equal(t, timeutil.TimeStamp(mockNow.Unix()), warning.LastFailedUnix)
+
+	ClearRequiredAdditionalInfoFetchFailureWarning(c)
+	assert.Nil(t, GetRequiredAdditionalInfoFailureWarning(c))
+}
+
+func TestRequiredAdditionalInfoFailureWarningThrottle(t *testing.T) {
+	c, err := cache.NewStringCache(setting.Cache{Adapter: "memory", Interval: 1})
+	require.NoError(t, err)
+
+	first := time.Unix(1_700_000_000, 0)
+	defer timeutil.MockSet(first)()
+	SetRequiredAdditionalInfoFetchFailureWarning(c, "Google Workspace")
+	initial := GetRequiredAdditionalInfoFailureWarning(c)
+	require.NotNil(t, initial)
+
+	// Within throttle window, keep previous timestamp to avoid cache churn.
+	timeutil.MockSet(first.Add(30 * time.Second))
+	SetRequiredAdditionalInfoFetchFailureWarning(c, "Google Workspace")
+	throttled := GetRequiredAdditionalInfoFailureWarning(c)
+	require.NotNil(t, throttled)
+	assert.Equal(t, initial.LastFailedUnix, throttled.LastFailedUnix)
+
+	// After throttle window, timestamp is refreshed.
+	timeutil.MockSet(first.Add(61 * time.Second))
+	SetRequiredAdditionalInfoFetchFailureWarning(c, "Google Workspace")
+	refreshed := GetRequiredAdditionalInfoFailureWarning(c)
+	require.NotNil(t, refreshed)
+	assert.Equal(t, timeutil.TimeStamp(first.Add(61*time.Second).Unix()), refreshed.LastFailedUnix)
+}

services/auth/source/oauth2/required_additional_info_failure_warning.go

@@ -0,0 +1,77 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package oauth2
+
+import (
+	"code.gitea.io/gitea/modules/cache"
+	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/timeutil"
+)
+
+const (
+	requiredAdditionalInfoFailureWarningCacheKey = "oauth2.required.additional.info.failure.warning"
+	requiredAdditionalInfoFailureWarningTTL      = 3600
+	requiredAdditionalInfoFailureWarningThrottle = 60
+)
+
+type RequiredAdditionalInfoFailureWarning struct {
+	SourceName     string             `json:"sourceName"`
+	LastFailedUnix timeutil.TimeStamp `json:"lastFailedUnix"`
+}
+
+func GetRequiredAdditionalInfoFailureWarning(c cache.StringCache) *RequiredAdditionalInfoFailureWarning {
+	if c == nil {
+		return nil
+	}
+
+	rawWarning, ok := c.Get(requiredAdditionalInfoFailureWarningCacheKey)
+	if !ok || rawWarning == "" {
+		return nil
+	}
+
+	warning := &RequiredAdditionalInfoFailureWarning{}
+	if err := json.Unmarshal([]byte(rawWarning), warning); err != nil {
+		_ = c.Delete(requiredAdditionalInfoFailureWarningCacheKey)
+		return nil
+	}
+	if warning.SourceName == "" || warning.LastFailedUnix.IsZero() {
+		_ = c.Delete(requiredAdditionalInfoFailureWarningCacheKey)
+		return nil
+	}
+
+	return warning
+}
+
+func SetRequiredAdditionalInfoFetchFailureWarning(c cache.StringCache, sourceName string) {
+	if c == nil {
+		return
+	}
+	if sourceName == "" {
+		sourceName = "OAuth2"
+	}
+
+	now := timeutil.TimeStampNow()
+	current := GetRequiredAdditionalInfoFailureWarning(c)
+	if current != nil && current.SourceName == sourceName && now-current.LastFailedUnix < requiredAdditionalInfoFailureWarningThrottle {
+		return
+	}
+
+	rawWarning, err := json.Marshal(&RequiredAdditionalInfoFailureWarning{
+		SourceName:     sourceName,
+		LastFailedUnix: now,
+	})
+	if err != nil {
+		return
+	}
+	if err := c.Put(requiredAdditionalInfoFailureWarningCacheKey, string(rawWarning), requiredAdditionalInfoFailureWarningTTL); err != nil {
+		return
+	}
+}
+
+func ClearRequiredAdditionalInfoFetchFailureWarning(c cache.StringCache) {
+	if c == nil {
+		return
+	}
+	_ = c.Delete(requiredAdditionalInfoFailureWarningCacheKey)
+}

services/context/context_template.go

@@ -17,6 +17,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web/middleware"
+	oauth2_source "code.gitea.io/gitea/services/auth/source/oauth2"
 	"code.gitea.io/gitea/services/webtheme"
 )
 
@@ -78,6 +79,14 @@ func (c TemplateContext) CurrentWebBanner() *setting.WebBannerType {
 	return nil
 }
 
+func (c TemplateContext) CurrentRequiredAdditionalInfoFailureWarning() *oauth2_source.RequiredAdditionalInfoFailureWarning {
+	webCtx := GetWebContext(c)
+	if webCtx == nil || webCtx.Doer == nil || !webCtx.Doer.IsAdmin {
+		return nil
+	}
+	return oauth2_source.GetRequiredAdditionalInfoFailureWarning(webCtx.Cache)
+}
+
 // AppFullLink returns a full URL link with AppSubURL for the given app link (no AppSubURL)
 // If no link is given, it returns the current app full URL with sub-path but without trailing slash (that's why it is not named as AppURL)
 func (c TemplateContext) AppFullLink(link ...string) template.URL {

templates/base/head_banner.tmpl

@@ -9,3 +9,13 @@
 	</button>
 </div>
 {{end}}
+
+{{$requiredAdditionalInfoWarning := ctx.CurrentRequiredAdditionalInfoFailureWarning}}
+{{if $requiredAdditionalInfoWarning}}
+<div class="ui warning message web-banner-container">
+	<div class="render-content markup web-banner-content">
+		<strong>{{ctx.Locale.Tr "auth.oauth.required_additional_info_fetch_failed_banner.title"}}</strong>
+		<p>{{ctx.Locale.Tr "auth.oauth.required_additional_info_fetch_failed_banner.desc" $requiredAdditionalInfoWarning.SourceName (DateUtils.AbsoluteShort $requiredAdditionalInfoWarning.LastFailedUnix)}}</p>
+	</div>
+</div>
+{{end}}