diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 38759b8a4b8f7..38a27509f7441 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -388,8 +388,17 @@ INTERNAL_TOKEN= ;; Enables OAuth2 provider ENABLE = true ;; +;; Algorithm used to sign OAuth2 tokens. Valid values: HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512 +;JWT_SIGNING_ALGORITHM = RS256 +;; +;; Private key file path used to sign OAuth2 tokens. The path is relative to APP_DATA_PATH. +;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to RS256, RS384, RS512, ES256, ES384 or ES512. +;; The file must contain a RSA or ECDSA private key in the PKCS8 format. If no key exists a 4096 bit key will be created for you. +;JWT_SIGNING_PRIVATE_KEY_FILE = jwt/private.pem +;; ;; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate -JWT_SECRET = +;; This setting is only needed if JWT_SIGNING_ALGORITHM is set to HS256, HS384 or HS512. +;JWT_SECRET = ;; ;; Lifetime of an OAuth2 access token in seconds ;ACCESS_TOKEN_EXPIRATION_TIME = 3600 diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 35deeac02e22e..a33407d15a73d 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -861,7 +861,7 @@ NB: You must have `DISABLE_ROUTER_LOG` set to `false` for this option to take ef - `INVALIDATE_REFRESH_TOKENS`: **false**: Check if refresh token has already been used - `JWT_SIGNING_ALGORITHM`: **RS256**: Algorithm used to sign OAuth2 tokens. Valid values: \[`HS256`, `HS384`, `HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `ES512`\] - `JWT_SECRET`: **\**: OAuth2 authentication secret for access and refresh tokens, change this to a unique string. This setting is only needed if `JWT_SIGNING_ALGORITHM` is set to `HS256`, `HS384` or `HS512`. -- `JWT_SIGNING_PRIVATE_KEY_FILE`: **jwt/private.pem**: Private key file path used to sign OAuth2 tokens. The path is relative to `CUSTOM_PATH`. This setting is only needed if `JWT_SIGNING_ALGORITHM` is set to `RS256`, `RS384`, `RS512`, `ES256`, `ES384` or `ES512`. The file must contain a RSA or ECDSA private key in the PKCS8 format. +- `JWT_SIGNING_PRIVATE_KEY_FILE`: **jwt/private.pem**: Private key file path used to sign OAuth2 tokens. The path is relative to `APP_DATA_PATH`. This setting is only needed if `JWT_SIGNING_ALGORITHM` is set to `RS256`, `RS384`, `RS512`, `ES256`, `ES384` or `ES512`. The file must contain a RSA or ECDSA private key in the PKCS8 format. If no key exists a 4096 bit key will be created for you. - `MAX_TOKEN_LENGTH`: **32767**: Maximum length of token/cookie to accept from OAuth2 provider ## i18n (`i18n`) diff --git a/modules/setting/setting.go b/modules/setting/setting.go index f648179155594..020101430d30d 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -805,7 +805,7 @@ func NewContext() { } if !filepath.IsAbs(OAuth2.JWTSigningPrivateKeyFile) { - OAuth2.JWTSigningPrivateKeyFile = filepath.Join(CustomPath, OAuth2.JWTSigningPrivateKeyFile) + OAuth2.JWTSigningPrivateKeyFile = filepath.Join(AppDataPath, OAuth2.JWTSigningPrivateKeyFile) } sec = Cfg.Section("admin")