OAuth2 provider

Forgejo supports acting as an OAuth2 provider to allow third party applications to access its resources with the user’s consent.

Endpoints

EndpointURL
OpenID Connect Discovery/.well-known/openid-configuration
Authorization Endpoint/login/oauth/authorize
Access Token Endpoint/login/oauth/access_token
OpenID Connect UserInfo/login/oauth/userinfo
JSON Web Key Set/login/oauth/keys

Supported OAuth2 Grants

At the moment Forgejo only supports the Authorization Code Grant standard with additional support of the following extensions:

To use the Authorization Code Grant as a third party application it is required to register a new application via the “Settings” (/user/settings/applications) section of the settings.

Scoped Tokens

Forgejo supports the following scopes for tokens:

NameDescription
(no scope)Grants read-only access to public user profile and public repositories.
repoFull control over all repositories.
    repo:statusGrants read/write access to commit status in all repositories.
    public_repoGrants read/write access to public repositories only.
admin:repo_hookGrants access to repository hooks of all repositories. This is included in the repo scope.
    write:repo_hookGrants read/write access to repository hooks
    read:repo_hookGrants read-only access to repository hooks
admin:orgGrants full access to organization settings
    write:orgGrants read/write access to organization settings
    read:orgGrants read-only access to organization settings
admin:public_keyGrants full access for managing public keys
    write:public_keyGrant read/write access to public keys
    read:public_keyGrant read-only access to public keys
admin:org_hookGrants full access to organizational-level hooks
notificationGrants full access to notifications
userGrants full access to user profile info
    read:userGrants read access to user’s profile
    user:emailGrants read access to user’s email addresses
    user:followGrants access to follow/un-follow a user
delete_repoGrants access to delete repositories as an admin
packageGrants full access to hosted packages
    write:packageGrants read/write access to packages
    read:packageGrants read access to packages
    delete:packageGrants delete access to packages
admin:gpg_keyGrants full access for managing GPG keys
    write:gpg_keyGrants read/write access to GPG keys
    read:gpg_keyGrants read-only access to GPG keys
admin:applicationGrants full access to manage applications
    write:applicationGrants read/write access for managing applications
    read:applicationGrants read access for managing applications
sudoAllows to perform actions as the site admin.

Client types

Forgejo supports both confidential and public client types, as defined by RFC 6749.

For public clients, a redirect URI of a loopback IP address such as http://127.0.0.1/ allows any port. Avoid using localhost, as recommended by RFC 8252.

Example

Note: This example does not use PKCE.

  1. Redirect to user to the authorization endpoint in order to get their consent for accessing the resources:

    https://[YOUR-FORGEJO-URL]/login/oauth/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI& response_type=code&state=STATE
    

    The CLIENT_ID can be obtained by registering an application in the settings. The STATE is a random string that will be send back to your application after the user authorizes. The state parameter is optional but should be used to prevent CSRF attacks.

    Authorization Page

    The user will now be asked to authorize your application. If they authorize it, the user will be redirected to the REDIRECT_URL, for example:

    https://[REDIRECT_URI]?code=RETURNED_CODE&state=STATE
    
  2. Using the provided code from the redirect, you can request a new application and refresh token. The access token endpoints accepts POST requests with application/json and application/x-www-form-urlencoded body, for example:

    POST https://[YOUR-FORGEJO-URL]/login/oauth/access_token
    
    {
      "client_id": "YOUR_CLIENT_ID",
      "client_secret": "YOUR_CLIENT_SECRET",
      "code": "RETURNED_CODE",
      "grant_type": "authorization_code",
      "redirect_uri": "REDIRECT_URI"
    }
    

    Response:

    {
      "access_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJnbnQiOjIsInR0IjowLCJleHAiOjE1NTUxNzk5MTIsImlhdCI6MTU1NTE3NjMxMn0.0-iFsAwBtxuckA0sNZ6QpBQmywVPz129u75vOM7wPJecw5wqGyBkmstfJHAjEOqrAf_V5Z-1QYeCh_Cz4RiKug",
      "token_type": "bearer",
      "expires_in": 3600,
      "refresh_token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJnbnQiOjIsInR0IjoxLCJjbnQiOjEsImV4cCI6MTU1NzgwNDMxMiwiaWF0IjoxNTU1MTc2MzEyfQ.S_HZQBy4q9r5SEzNGNIoFClT43HPNDbUdHH-GYNYYdkRfft6XptJBkUQscZsGxOW975Yk6RbgtGvq1nkEcklOw"
    }
    

    The CLIENT_SECRET is the unique secret code generated for this application. Please note that the secret will only be visible after you created/registered the application with Forgejo and cannot be recovered. If you lose the secret you must regenerate the secret via the application’s settings.

    The REDIRECT_URI in the access_token request must match the REDIRECT_URI in the authorize request.

  3. Use the access_token to make API requests to access the user’s resources.