Added support for AWS Cognito OAuth2 provider

2026-05-15 04:13:35 +02:00 · 2026-05-08 17:22:49 +01:00 · 2026-05-08 17:22:49 +01:00 · b825d8f9d0
commit b825d8f9d0
parent 7dc3087acd
3 changed files with 78 additions and 1 deletions
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@ -539,7 +539,15 @@ func buildOIDCEndSessionURL(ctx *context.Context, doer *user_model.User) string
 	// https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
 	params := endSessionURL.Query()
 	params.Set("client_id", oauth2Cfg.ClientID)
-	params.Set("post_logout_redirect_uri", httplib.GuessCurrentAppURL(ctx))
+
+	// AWS Cognito uses "logout_uri" instead of the standard "post_logout_redirect_uri"
+	redirectURI := httplib.GuessCurrentAppURL(ctx)
+	if oauth2Cfg.Provider == "cognito" {
+		params.Set("logout_uri", redirectURI)
+	} else {
+		params.Set("post_logout_redirect_uri", redirectURI)
+	}
+
 	endSessionURL.RawQuery = params.Encode()
 	return endSessionURL.String()
 }
--- a/services/auth/source/oauth2/providers_cognito.go
+++ b/services/auth/source/oauth2/providers_cognito.go
@ -0,0 +1,68 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package oauth2
+
+import (
+	"html/template"
+
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/svg"
+
+	"github.com/markbates/goth"
+	"github.com/markbates/goth/providers/openidConnect"
+)
+
+// CognitoProvider is a GothProvider for AWS Cognito
+type CognitoProvider struct{}
+
+func (c *CognitoProvider) SupportSSHPublicKey() bool {
+	return true
+}
+
+// Name provides the technical name for this provider
+func (c *CognitoProvider) Name() string {
+	return "cognito"
+}
+
+// DisplayName returns the friendly name for this provider
+func (c *CognitoProvider) DisplayName() string {
+	return "AWS Cognito"
+}
+
+// IconHTML returns icon HTML for this provider
+func (c *CognitoProvider) IconHTML(size int) template.HTML {
+	return svg.RenderHTML("gitea-openid", size)
+}
+
+// CreateGothProvider creates a GothProvider from this Provider
+func (c *CognitoProvider) CreateGothProvider(providerName, callbackURL string, source *Source) (goth.Provider, error) {
+	scopes := setting.OAuth2Client.OpenIDConnectScopes
+	if len(scopes) == 0 {
+		scopes = append(scopes, source.Scopes...)
+	}
+
+	provider, err := openidConnect.New(source.ClientID, source.ClientSecret, callbackURL, source.OpenIDConnectAutoDiscoveryURL, scopes...)
+	if err != nil {
+		log.Warn("Failed to create AWS Cognito Provider with name '%s' with url '%s': %v", providerName, source.OpenIDConnectAutoDiscoveryURL, err)
+		return nil, err
+	}
+	if source.ExternalIDClaim != "" {
+		// UserIdClaims is a fallback list; goth returns the first non-empty matching claim.
+		// A single entry is sufficient because the admin explicitly chooses one claim (e.g. "sub" for Cognito).
+		provider.UserIdClaims = []string{source.ExternalIDClaim}
+	}
+	return provider, nil
+}
+
+// CustomURLSettings returns the custom url settings for this provider
+func (c *CognitoProvider) CustomURLSettings() *CustomURLSettings {
+	return nil
+}
+
+var _ GothProvider = &CognitoProvider{}
+
+func init() {
+	RegisterGothProvider(&CognitoProvider{})
+}
--- a/web_src/js/features/admin/common.ts
+++ b/web_src/js/features/admin/common.ts
@ -86,6 +86,7 @@ function initAdminAuthentication() {
    const provider = document.querySelector<HTMLInputElement>('#oauth2_provider')!.value;
    switch (provider) {
      case 'openidConnect':
+      case 'cognito':
        document.querySelector<HTMLInputElement>('.open_id_connect_auto_discovery_url input')!.setAttribute('required', 'required');
        showElem('.open_id_connect_auto_discovery_url');
        showElem('.open_id_connect_external_id_claim');