From 80e39fd834baeb30b2fa21b9df5da762dfbccb73 Mon Sep 17 00:00:00 2001
From: Valentin Iovene <val@too.gy>
Date: Wed, 20 Nov 2024 23:06:08 +0100
Subject: [PATCH] Add Forgejo oidc provider config example (#17872)

---
 changelog.d/17872.doc |  1 +
 docs/openid.md        | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 changelog.d/17872.doc

diff --git a/changelog.d/17872.doc b/changelog.d/17872.doc
new file mode 100644
index 0000000000..7f8b2d3495
--- /dev/null
+++ b/changelog.d/17872.doc
@@ -0,0 +1 @@
+Add OIDC example configuration for Forgejo (fork of Gitea).
diff --git a/docs/openid.md b/docs/openid.md
index 7a10b1615b..5a3d7e9fba 100644
--- a/docs/openid.md
+++ b/docs/openid.md
@@ -336,6 +336,36 @@ but it has a `response_types_supported` which excludes "code" (which we rely on,
 is even mentioned in their [documentation](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#login)),
 so we have to disable discovery and configure the URIs manually.
 
+### Forgejo
+
+Forgejo is a fork of Gitea that can act as an OAuth2 provider.
+
+The implementation of OAuth2 is improved compared to Gitea, as it provides a correctly defined `subject_claim` and `scopes`.
+
+Synapse config:
+
+```yaml
+oidc_providers:
+  - idp_id: forgejo
+    idp_name: Forgejo
+    discover: false
+    issuer: "https://your-forgejo.com/"
+    client_id: "your-client-id" # TO BE FILLED
+    client_secret: "your-client-secret" # TO BE FILLED
+    client_auth_method: client_secret_post
+    scopes: ["openid", "profile", "email", "groups"]
+    authorization_endpoint: "https://your-forgejo.com/login/oauth/authorize"
+    token_endpoint: "https://your-forgejo.com/login/oauth/access_token"
+    userinfo_endpoint: "https://your-forgejo.com/api/v1/user"
+    user_mapping_provider:
+      config:
+        subject_claim: "sub"
+        picture_claim: "picture"
+        localpart_template: "{{ user.preferred_username }}"
+        display_name_template: "{{ user.name }}"
+        email_template: "{{ user.email }}"
+```
+
 ### GitHub
 
 [GitHub][github-idp] is a bit special as it is not an OpenID Connect compliant provider, but