Invalid oauth RefreshToken makes user become inactive when syncing users from oauth provider

[imhun]

Description

oauth login: keycloak

Problem

git pull repo use app token,when oauth login session expired ,git pull error message:
/data.git/info/refs not valid: could not determine hash algorithm; is this a git repository?

gitea home page display:
Your account is prohibited from signing in, please contact your site administrator.

gitea service log message:

2025/06/17 01:54:10 HTTPRequest [I] router: completed GET /bytefabric/data.git/info/refs?service=git-upload-pack for 100.127.131.23:22476, 401 Unauthorized in 35.6ms @ repo/githttp.go:511(repo.GetInfoRefs)

2025-06-17T09:54:10.398305175+08:00 2025/06/17 01:54:10 routers/web/web.go:148:init.verifyAuthWithOptions.1() [I] Failed authentication attempt for xxx from 100.127.131.23:22476

It works properly if we log in again through the oauth login.

Expected

I understand that if git pull uses the app token, it should be able to function normally as long as the token is not expired, and there should be no need for the user to log in again.

Gitea Version

1.37-1.24

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

2.49.0

Operating System

k8s on linux arm64

How are you running Gitea?

k8s 1.32,gitea helm charts:12.0.0

Database

PostgreSQL

[lunny]

What did you mean app token? Is that access token or oauth2 token?

[imhun]

The applications token

[imhun]

When using applications tokens to access package,for example, pulling the docker image, the same problem will occur.

[wxiaoguang]

What's your app.ini config?

Especially:

• REGISTER_EMAIL_CONFIRM
• REGISTER_MANUAL_CONFIRM

[wxiaoguang]

gitea home page display: Your account is prohibited from signing in, please contact your site administrator.

This message should only be shown when the user's is_active=false or prohibit_login=true

Could you check your database about the user details when the problem occurs? If the values are not expected, and need to figure out why it becomes true.

[imhun]

What's your app.ini config?

Especially:

• REGISTER_EMAIL_CONFIRM
• REGISTER_MANUAL_CONFIRM

Without this config

when session expired,the user's is_active=f

when login again,the is_active=t

It seems to change dynamically along with the login status.

[wxiaoguang]

It seems to change dynamically along with the login status.

Can you see some strange logs? For example, something like log.Info("SyncExternalUsers[%s] disabling user %d", source.AuthSource.Name, user.ID)?

[imhun]

It seems to be so.

[wxiaoguang]

The related logic is here. TBH I don't have more ideas about it at the moment. Just FYI.

[wxiaoguang]

I think the problem is related to your SSO's RefreshToken behavior. For example: issuing/expiring/revoking.

[imhun]

Should we disable the user when their session expires? Disabling the user will also affect the use of the app token, which feels a bit unreasonable.

[wxiaoguang]

Should we disable the user when their session expires?

I don't have more ideas about this problem at the moment. And I don't know how your system works (especially the "RefreshToken" part).

Maybe you could try to debug it, and/or provide a reproducible setup with detailed steps then maybe when someone has time they could also take a look.

Disabling the user will also affect the use of the app token, which feels a bit unreasonable.

It is reasonable and correctly designed. The disabled users should have no access to the system.

[imhun]

The default maximum session duration for gitea is one day,configured by parameter SESSION_LIFE_TIME.
The maximum session time for my sso is also one day.
It is possible that the sso session has expired, but the gitea session has not expired. This is why the problem occurred.
I set the maximum session time for sso to be longer than one day, say two days, and then this problem was resolved.