ldraney/pal-e-platform
1
0
Fork 0
Code Issues 91 Pull requests 5 Projects Releases Packages Wiki Activity Actions

SSO: Wire Forgejo → Keycloak OIDC #336

New issue
Closed
opened 2026-05-05 04:06:16 +00:00 by forgejo_admin · 0 comments
forgejo_admin commented 2026-05-05 04:06:16 +00:00
Contributor
Copy link

Type

Feature

Lineage

Standalone — scoped during platform SSO initiative (2026-05-04). Depends on platform realm ticket.

Repo

forgejo_admin/pal-e-platform

User Story

As a platform admin
I want to log into Forgejo via Keycloak SSO
So that I don't need a separate password and get seamless click-through from the admin dashboard

Context

Forgejo supports OAuth2 providers natively. Config goes in Helm values under gitea.config or via Forgejo admin API auth source. Once Forgejo uses Keycloak, Woodpecker CI inherits SSO for free (it uses Forgejo as its auth backend). The zero-re-login experience works because Keycloak session cookie persists — Forgejo redirects to Keycloak, Keycloak sees existing session, bounces back with token.

File Targets

Files the agent should modify or create:

  • terraform/modules/forgejo/main.tf — add OAuth2 provider config to Helm values

Files the agent should NOT touch:

  • terraform/modules/keycloak/main.tf — realm is managed separately
  • terraform/modules/ci/main.tf — Woodpecker inherits from Forgejo automatically

Acceptance Criteria

  • Forgejo login page shows "Sign in with Keycloak" button
  • ldraney can authenticate via Keycloak and lands as admin in Forgejo
  • No second login prompt when navigating from pal-e-admin (SSO session reuse)
  • Existing forgejo_admin local account still works as fallback
  • Woodpecker CI recognizes Keycloak-authenticated Forgejo user

Test Expectations

  • Integration: login via Keycloak, verify Forgejo session created
  • Verify: Woodpecker shows authenticated user after Forgejo SSO
  • Run command: curl -s https://forgejo.tail5b443a.ts.net/api/v1/settings/api | jq .

Constraints

  • Keep local auth as fallback (don't disable it)
  • OIDC client ID/secret must be stored in k8s secret, not plaintext in terraform
  • Follow existing Helm values pattern in modules/forgejo/main.tf

Checklist

  • PR opened
  • Tests pass
  • No unrelated changes

Related

  • project-pal-e-platform — platform project
### Type Feature ### Lineage Standalone — scoped during platform SSO initiative (2026-05-04). Depends on platform realm ticket. ### Repo `forgejo_admin/pal-e-platform` ### User Story As a platform admin I want to log into Forgejo via Keycloak SSO So that I don't need a separate password and get seamless click-through from the admin dashboard ### Context Forgejo supports OAuth2 providers natively. Config goes in Helm values under `gitea.config` or via Forgejo admin API auth source. Once Forgejo uses Keycloak, Woodpecker CI inherits SSO for free (it uses Forgejo as its auth backend). The zero-re-login experience works because Keycloak session cookie persists — Forgejo redirects to Keycloak, Keycloak sees existing session, bounces back with token. ### File Targets Files the agent should modify or create: - `terraform/modules/forgejo/main.tf` — add OAuth2 provider config to Helm values Files the agent should NOT touch: - `terraform/modules/keycloak/main.tf` — realm is managed separately - `terraform/modules/ci/main.tf` — Woodpecker inherits from Forgejo automatically ### Acceptance Criteria - [ ] Forgejo login page shows "Sign in with Keycloak" button - [ ] ldraney can authenticate via Keycloak and lands as admin in Forgejo - [ ] No second login prompt when navigating from pal-e-admin (SSO session reuse) - [ ] Existing forgejo_admin local account still works as fallback - [ ] Woodpecker CI recognizes Keycloak-authenticated Forgejo user ### Test Expectations - [ ] Integration: login via Keycloak, verify Forgejo session created - [ ] Verify: Woodpecker shows authenticated user after Forgejo SSO - Run command: `curl -s https://forgejo.tail5b443a.ts.net/api/v1/settings/api | jq .` ### Constraints - Keep local auth as fallback (don't disable it) - OIDC client ID/secret must be stored in k8s secret, not plaintext in terraform - Follow existing Helm values pattern in `modules/forgejo/main.tf` ### Checklist - [ ] PR opened - [ ] Tests pass - [ ] No unrelated changes ### Related - `project-pal-e-platform` — platform project
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix-gem-bin-path
netpol-westside-ror
fix-woodpecker-multi-pipeline
345-harbor-mobile-css
290-payment-pipeline-observability
spec-board-centric-renderer
284-fix-add-pal-e-docs-namespace-to-postgres
284-add-pal-e-docs-postgres-netpol
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform#336
No description provided.