Forgejo SSO
Client Configuration in Keycloak
Create client in Keycloak with the following settings:
| Setting | Value |
|---|---|
| Client ID | forgejo |
| Root URL | https://forgejo.<CLUSTER_DOMAIN> |
| Home URL | / |
| Redirect URIs | /user/oauth2/Keycloak/callback |
| Web Origins | /* |
| Client Authentication | Enabled |
| Standard Flow | Enabled |
Make note of the Client Secret generated by Keycloak, you will need it in the next step.
Add users that you want to have access to Forgejo to the Forgejo Contributors group in Keycloak.
Users that should be able to administer Forgejo should be added to the Forgejo Admins group in Keycloak.
SSO Configuration in Forgejo
Sign in to Forgejo with the default admin account and go to Site Administration > Identity & access > Authentication sources and add a new authentication source with the following settings. Replace <CLIENT_SECRET> and <CLUSTER_DOMAIN> with actual values.
This guide assumes that you have already configured Nursery realm.
| Setting | Value |
|---|---|
| Authentication Type | OAuth2 |
| Name | Keycloak |
| OAuth2 Provider | OpenID Connect |
| Client ID | forgejo |
| Client Secret | <CLIENT_SECRET> |
| OpenID Connect Auto Discovery URL | https://account.<CLUSTER_DOMAIN>/realms/nursery/.well-known/openid-configuration |
| Skip local 2FA | Enabled |
| Required claim name | groups |
| Required claim value | /Forgejo Contributors |
| Claim name providing group names for this source | groups |
| Group claim value for administrator users | /Forgejo Admins |
| Activated | Enabled |