Cloudron recently added native support for OpenID Connect (oidc for short), which means that manual workarounds like using Kopano Meet as a bridge are no longer needed.

One application I use quite often on my own Cloudron is Gitea. For example, the source code of this blog is hosted there, but also projects that I am working on on my own are in my own Gitea installation. My only problem with this is that login sessions are quite short and I have to constantly choose the right pair of auth credentials and then the separate 2fa code to login with. However, when logging in via oidc, Gitea has an optional setting to “Skip local 2FA” for a given identity provider.

Gitea can be configured to use Cloudron as its “Authentication Source” in the following way.

In Gitea, go to “Site Administration” and then select “Authentication Sources” to add an authentication source. The following values must be filled in:

  • Authentication type: choose Oauth2. Authentication Name: this is the name that will be displayed to the user, I recommend using Gitea.
  • OAuth2 Provider: here you have to select OpenID Connect.
  • Client ID (Key): this is and the client secret are internal values that are not shown to the user. I recommend to use a medium long random strong for each of them, write it down somewhere as it is also used in the Cloudron configuration.
  • Client secret: see above
  • Icon URL: To avoid using the generic OIDC logo, a custom logo can be specified. I host a logo for my Cloudron along with this blog.
  • OpenID Connect Auto Discovery URL: This must be the exact URL to the discovery document. In my case it is https://my.9wd.eu/.well-known/openid-configuration.
  • Skip local 2FA: To avoid having to do two two-factor logins, tick this box.

There are no other settings to do, but once the new authentication source has been saved, open it again to get the callback/redirect URL, as we need it to configure Cloudron.

In Cloudron, go to the users section and scroll down to the OpenID Connect Provider settings and click on ‘New client’ on the resulting page. The form needs to be filled in as follows:

  • Name: This is the name that will be shown to the user, I recommend using Gitea.
  • Client ID: This must be the ID that was previously configured in Gitea.
  • Client Secret: this must be the secret that was previously configured in Gitea.
  • Login callback Url (comma separated if more than one): here the callback url must be copied in

With a click on “create” all the server side configuration is done. A user can easily link his existing Gitea account with the new oidc login by going to the security settings or by simply logging in in a new session, which will then ask for the original login if the account is not already linked.

And with this in place, I can now simply log in to my Gitea account using my existing Cloudron login session.