Integrate with Forgejo
Support level: Community
What is Forgejo?
Forgejo is a lightweight, self-hosted alternative to GitHub/GitLab, with a strong emphasis on community governance and open development.
Preparation
The following placeholders are used in this guide:
forgejo.companyis the FQDN of the Forgejo installation.authentik.companyis the FQDN of the authentik installation.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
authentik configuration
In authentik versions earlier than 2026.5, all Redirect URIs are automatically treated as Authorization type. If you are using one of these older authentik versions, add only the Authorization URL to your Redirect URIs and do not configure a Post Logout URI.
To support the integration of Forgejo with authentik, you need to create an application/provider pair in authentik.
Create an application and provider
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the application Slug because it will be required later.
- Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the Client ID and Client Secret values because they will be required later.
- Add a Redirect URI of type
StrictAuthorizationashttps://<forgejo.company>/user/oauth2/authentik/callback. - Select any available signing key.
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
-
Click Submit to save the new application and provider.
Forgejo configuration
-
Log in to Forgejo as an administrator, then click your profile icon in the top-right corner and select Site Administration.
-
Select the Authentication Sources tab and then click on Add Authentication Source.
-
Set the following required configurations:
- Authentication Name:
authentik. This value must match the name used in the Redirect URI in the previous section. - OAuth2 Provider: select OpenID Connect.
- Client ID (Key): enter the Client ID from authentik.
- Client Secret: enter the Client Secret from authentik.
- Icon URL:
https://authentik.company/static/dist/assets/icons/icon.png - OpenID Connect Auto Discovery URL:
https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration - Additional Scopes:
email profile
- Authentication Name:
-
Click Add Authentication Source.
Enable automatic user registration (optional)
If Forgejo should create user accounts after a successful authentik login, enable OAuth2 auto-registration in the Forgejo configuration:
[oauth2_client]
ENABLE_AUTO_REGISTRATION = true
Restart Forgejo after changing its configuration file.
Configure permissions (optional)
Optionally, application entitlements and property mappings can be created to manage user permissions in Forgejo.
Create application entitlements
The following application entitlements will be created:
gituser: normal Forgejo users.gitadmin: Forgejo users with administrative permissions.gitrestricted: restricted Forgejo users.
Users who are not assigned any of these entitlements will be denied login access. Users assigned the gitadmin entitlement will have full administrative privileges, while users assigned the gitrestricted entitlement will have limited access.
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Applications and open the Forgejo application.
- Click the Application entitlements tab.
- Click New Entitlement, set the name to
gituser, and then click Create. - Repeat step 4 to create two additional entitlements named
gitadminandgitrestricted. - Open an entitlement and bind the users or groups that need Forgejo access to it.
- Repeat step 6 for the two additional entitlements.
Create custom property mapping
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Customization > Property Mappings and click Create. Create a Scope Mapping with the following configurations:
- Name: Choose a descriptive name (e.g.
authentik forgejo OAuth Mapping: OpenID 'forgejo') - Scope name:
forgejo - Expression:
entitlement_names = {entitlement.namefor entitlement in request.user.app_entitlements(provider.application)}forgejo_claims = {}if "gituser" in entitlement_names:forgejo_claims["forgejo"] = "user"if "gitadmin" in entitlement_names:forgejo_claims["forgejo"] = "admin"if "gitrestricted" in entitlement_names:forgejo_claims["forgejo"] = "restricted"return forgejo_claims - Name: Choose a descriptive name (e.g.
-
Click Finish.
Add the custom property mapping to the provider
-
Log in to authentik as an administrator and open the authentik Admin interface.
-
Navigate to Applications > Providers and click on the Edit icon of the Forgejo provider.
-
Under Advanced protocol settings > Scopes, add the following scope to Selected Scopes:
authentik forgejo OAuth Mapping: OpenID 'forgejo'
-
Click Update.
Configure Forgejo to use the new claims
- Log in to Forgejo as an administrator. Click your profile icon in the top-right corner, and then click Site Administration.
- Select the Authentication Sources tab and edit the authentik Authentication Source.
- Set the following configurations:
- Additional Scopes:
email profile forgejo - Required Claim Name:
forgejo - Claim name providing group names for this source. (Optional):
forgejo - Group Claim value for administrator users. (Optional - requires claim name above):
admin - Group Claim value for restricted users. (Optional - requires claim name above):
restricted
- Additional Scopes:
- Click Update Authentication Source.
Configuration verification
To confirm that authentik is properly configured with Forgejo, open Forgejo and sign in using the Sign in with authentik button.