[GH-ISSUE #73] OIDC using Authentik leading to 500 error #38

New issue

Closed

opened 2026-02-27 15:54:42 +03:00 by kerem · 16 comments

kerem commented 2026-02-27 15:54:42 +03:00

Owner

Copy link

Originally created by @requ1Re on GitHub (Aug 11, 2025).
Original GitHub issue: https://github.com/RayLabsHQ/gitea-mirror/issues/73

Originally assigned to: @arunavo4 on GitHub.

Hi, I am trying to configure authentik as my External Identity Provider but I am always met with an error.

I have set it up using the usual values. When I click on "Sign in with [...]" on the "SSO" Tab of the login page, I get redirected to Authentik as expected, but when I confirm the login and get redirected back, I am met with a 500 Internal Server Error. The log shows the following error:

# SERVER_ERROR:  467 |   let { baseURL, params, query } = option || {
468 |     query: {},
469 |     params: {},
470 |     baseURL: ""
471 |   };
472 |   let basePath = url.startsWith("http") ? url.split("/").slice(0, 3).join("/") : baseURL || "";
                       ^
TypeError: undefined is not an object (evaluating 'url.startsWith')
      at getURL2 (/app/node_modules/@better-fetch/fetch/dist/index.js:472:18)
      at <anonymous> (/app/node_modules/@better-fetch/fetch/dist/index.js:521:16)

I have tried to set this up multiple times but I didn't manage to do it.

Any help would be appreciated, thank you!

Originally created by @requ1Re on GitHub (Aug 11, 2025). Original GitHub issue: https://github.com/RayLabsHQ/gitea-mirror/issues/73 Originally assigned to: @arunavo4 on GitHub. Hi, I am trying to configure authentik as my External Identity Provider but I am always met with an error. I have set it up using the usual values. When I click on "Sign in with [...]" on the "SSO" Tab of the login page, I get redirected to Authentik as expected, but when I confirm the login and get redirected back, I am met with a 500 Internal Server Error. The log shows the following error: ``` # SERVER_ERROR: 467 | let { baseURL, params, query } = option || { 468 | query: {}, 469 | params: {}, 470 | baseURL: "" 471 | }; 472 | let basePath = url.startsWith("http") ? url.split("/").slice(0, 3).join("/") : baseURL || ""; ^ TypeError: undefined is not an object (evaluating 'url.startsWith') at getURL2 (/app/node_modules/@better-fetch/fetch/dist/index.js:472:18) at <anonymous> (/app/node_modules/@better-fetch/fetch/dist/index.js:521:16) ``` I have tried to set this up multiple times but I didn't manage to do it. Any help would be appreciated, thank you!

kerem 2026-02-27 15:54:42 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-02-27 15:54:43 +03:00

Author

Owner

Copy link

@arunavo4 commented on GitHub (Aug 12, 2025):

@requ1Re please put your docker compose and the urls you have setup along minus the creds.

<!-- gh-comment-id:3177751479 --> @arunavo4 commented on GitHub (Aug 12, 2025): @requ1Re please put your docker compose and the urls you have setup along minus the creds.

kerem commented 2026-02-27 15:54:43 +03:00

Author

Owner

Copy link

@requ1Re commented on GitHub (Aug 15, 2025):

Hi, I am not using docker-compose but running the docker image directly using docker run. Other than SSO, everything else is working as expected.

I have set BETTER_AUTH_URL to the URL of the application. I have also tried with and without a trailing slash.

This is the configuration within the application:

<!-- gh-comment-id:3191485923 --> @requ1Re commented on GitHub (Aug 15, 2025): Hi, I am not using docker-compose but running the docker image directly using docker run. Other than SSO, everything else is working as expected. I have set `BETTER_AUTH_URL` to the URL of the application. I have also tried with and without a trailing slash. This is the configuration within the application: <img width="521" height="911" alt="Image" src="https://github.com/user-attachments/assets/a9454380-0179-4c0a-9e0d-6a56aa23325a" />

kerem commented 2026-02-27 15:54:43 +03:00

Author

Owner

Copy link

@bxm156 commented on GitHub (Aug 19, 2025):

I'm receiving the same error when trying to setup Authenitk. I used the Proxmox VE Script to install gitea-mirror

Aug 19 02:26:33 gitea-mirror infisical[14502]: # SERVER_ERROR:  467 |   let { baseURL, params, query } = option || {
Aug 19 02:26:33 gitea-mirror infisical[14502]: 468 |     query: {},
Aug 19 02:26:33 gitea-mirror infisical[14502]: 469 |     params: {},
Aug 19 02:26:33 gitea-mirror infisical[14502]: 470 |     baseURL: ""
Aug 19 02:26:33 gitea-mirror infisical[14502]: 471 |   };
Aug 19 02:26:33 gitea-mirror infisical[14502]: 472 |   let basePath = url.startsWith("http") ? url.split("/").slice(0, 3).join("/") : baseURL || "";
Aug 19 02:26:33 gitea-mirror infisical[14502]:                        ^
Aug 19 02:26:33 gitea-mirror infisical[14502]: TypeError: undefined is not an object (evaluating 'url.startsWith')
Aug 19 02:26:33 gitea-mirror infisical[14502]:       at getURL2 (/opt/gitea-mirror/node_modules/@better-fetch/fetch/dist/index.js:472:18)
Aug 19 02:26:33 gitea-mirror infisical[14502]:       at <anonymous> (/opt/gitea-mirror/node_modules/@better-fetch/fetch/dist/index.js:521:16)

<!-- gh-comment-id:3199973376 --> @bxm156 commented on GitHub (Aug 19, 2025): I'm receiving the same error when trying to setup Authenitk. I used the Proxmox VE Script to install gitea-mirror ``` Aug 19 02:26:33 gitea-mirror infisical[14502]: # SERVER_ERROR: 467 | let { baseURL, params, query } = option || { Aug 19 02:26:33 gitea-mirror infisical[14502]: 468 | query: {}, Aug 19 02:26:33 gitea-mirror infisical[14502]: 469 | params: {}, Aug 19 02:26:33 gitea-mirror infisical[14502]: 470 | baseURL: "" Aug 19 02:26:33 gitea-mirror infisical[14502]: 471 | }; Aug 19 02:26:33 gitea-mirror infisical[14502]: 472 | let basePath = url.startsWith("http") ? url.split("/").slice(0, 3).join("/") : baseURL || ""; Aug 19 02:26:33 gitea-mirror infisical[14502]: ^ Aug 19 02:26:33 gitea-mirror infisical[14502]: TypeError: undefined is not an object (evaluating 'url.startsWith') Aug 19 02:26:33 gitea-mirror infisical[14502]: at getURL2 (/opt/gitea-mirror/node_modules/@better-fetch/fetch/dist/index.js:472:18) Aug 19 02:26:33 gitea-mirror infisical[14502]: at <anonymous> (/opt/gitea-mirror/node_modules/@better-fetch/fetch/dist/index.js:521:16) ```

kerem commented 2026-02-27 15:54:43 +03:00

Author

Owner

Copy link

@hllshiro commented on GitHub (Aug 26, 2025):

I used the docker-compose.yml and .env provided by the repository and encountered the same error.

gitea-mirror  | # SERVER_ERROR:  467 |   let { baseURL, params, query } = option || {
gitea-mirror  | 468 |     query: {},
gitea-mirror  | 469 |     params: {},
gitea-mirror  | 470 |     baseURL: ""
gitea-mirror  | 471 |   };
gitea-mirror  | 472 |   let basePath = url.startsWith("http") ? url.split("/").slice(0, 3).join("/") : baseURL || "";
gitea-mirror  |                        ^
gitea-mirror  | TypeError: undefined is not an object (evaluating 'url.startsWith')
gitea-mirror  |       at getURL2 (/app/node_modules/@better-fetch/fetch/dist/index.js:472:18)
gitea-mirror  |       at <anonymous> (/app/node_modules/@better-fetch/fetch/dist/index.js:521:16)
gitea-mirror  | 

services:
  gitea-mirror:
    image: ghcr.io/raylabshq/gitea-mirror:latest
    container_name: gitea-mirror
    restart: unless-stopped
    ports:
      - ${PORT:-4321}:4321
    user: ${PUID:-1000}:${PGID:-1000}
    volumes:
      - ./data:/app/data
    environment:
      # For a complete list of all supported environment variables, see:
      # docs/ENVIRONMENT_VARIABLES.md or .env.example
      - NODE_ENV=production
      - DATABASE_URL=file:data/gitea-mirror.db
      - HOST=0.0.0.0
      - PORT=4321
      - BETTER_AUTH_URL=https://gitea-mirror.xxx.cn:9443
      - BETTER_AUTH_SECRET=${BETTER_AUTH_SECRET:-your-secret-key-change-this-in-production}
    env_file:
      - .env
    healthcheck:
      test:
        - CMD
        - wget
        - --no-verbose
        - --tries=3
        - --spider
        - http://localhost:4321/api/health
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 15s
networks: {}

# Gitea Mirror Configuration
# Copy this to .env and update with your values

# ===========================================
# CORE CONFIGURATION
# ===========================================

# Application Configuration
NODE_ENV=production
HOST=0.0.0.0
PORT=4321

# Database Configuration
# For self-hosted, SQLite is used by default
DATABASE_URL=sqlite://data/gitea-mirror.db

# Security
# Generate with: openssl rand -base64 32
BETTER_AUTH_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
BETTER_AUTH_URL=https://gitea-mirror.xxx.cn:9443
# ENCRYPTION_SECRET=optional-encryption-key-for-token-encryption # Generate with: openssl rand -base64 48

# ===========================================
# DOCKER CONFIGURATION (Optional)
# ===========================================

# Docker Registry Configuration
DOCKER_REGISTRY=ghcr.io
DOCKER_IMAGE=arunavo4/gitea-mirror
DOCKER_TAG=latest

# ===========================================
# GITHUB CONFIGURATION
# All settings can also be configured via web UI
# ===========================================

# Basic GitHub Settings
# GITHUB_USERNAME=your-github-username
# GITHUB_TOKEN=your-github-personal-access-token
# GITHUB_TYPE=personal  # Options: personal, organization

# Repository Selection
# PRIVATE_REPOSITORIES=false
# PUBLIC_REPOSITORIES=true
# INCLUDE_ARCHIVED=false
# SKIP_FORKS=false
# MIRROR_STARRED=false
# STARRED_REPOS_ORG=starred  # Organization name for starred repos

# Organization Settings
# MIRROR_ORGANIZATIONS=false
# PRESERVE_ORG_STRUCTURE=false
# ONLY_MIRROR_ORGS=false

# Mirror Strategy
# MIRROR_STRATEGY=preserve  # Options: preserve, single-org, flat-user, mixed

# Advanced GitHub Settings
# SKIP_STARRED_ISSUES=false  # Enable lightweight mode for starred repos

# ===========================================
# GITEA CONFIGURATION
# All settings can also be configured via web UI
# ===========================================

# Basic Gitea Settings
# GITEA_URL=http://gitea:3000
# GITEA_TOKEN=your-local-gitea-token
# GITEA_USERNAME=your-local-gitea-username
# GITEA_ORGANIZATION=github-mirrors  # Default organization for single-org strategy

# Repository Settings
# GITEA_ORG_VISIBILITY=public  # Options: public, private, limited, default
# GITEA_MIRROR_INTERVAL=8h  # Mirror sync interval (e.g., 30m, 1h, 8h, 24h)
# GITEA_LFS=false  # Enable LFS support
# GITEA_CREATE_ORG=true  # Auto-create organizations
# GITEA_PRESERVE_VISIBILITY=false  # Preserve GitHub repo visibility in Gitea

# Template Settings (for using repository templates)
# GITEA_TEMPLATE_OWNER=template-owner
# GITEA_TEMPLATE_REPO=template-repo

# Topic Settings
# GITEA_ADD_TOPICS=true  # Add topics to repositories
# GITEA_TOPIC_PREFIX=gh-  # Prefix for topics

# Fork Handling
# GITEA_FORK_STRATEGY=reference  # Options: skip, reference, full-copy

# ===========================================
# MIRROR OPTIONS
# Control what gets mirrored from GitHub
# ===========================================

# Release and Metadata
# MIRROR_RELEASES=false  # Mirror GitHub releases
# MIRROR_WIKI=false  # Mirror wiki content

# Issue Tracking (requires MIRROR_METADATA=true)
# MIRROR_METADATA=false  # Master toggle for metadata mirroring
# MIRROR_ISSUES=false  # Mirror issues
# MIRROR_PULL_REQUESTS=false  # Mirror pull requests
# MIRROR_LABELS=false  # Mirror labels
# MIRROR_MILESTONES=false  # Mirror milestones

# ===========================================
# AUTOMATION CONFIGURATION
# Schedule automatic mirroring
# ===========================================

# Basic Schedule Settings
# SCHEDULE_ENABLED=false
# SCHEDULE_INTERVAL=3600  # Interval in seconds or cron expression (e.g., "0 2 * * *")
# DELAY=3600  # Legacy: same as SCHEDULE_INTERVAL, kept for backward compatibility

# Execution Settings
# SCHEDULE_CONCURRENT=false  # Allow concurrent mirror operations
# SCHEDULE_BATCH_SIZE=10  # Number of repos to process in parallel
# SCHEDULE_PAUSE_BETWEEN_BATCHES=5000  # Pause between batches (ms)

# Retry Configuration
# SCHEDULE_RETRY_ATTEMPTS=3
# SCHEDULE_RETRY_DELAY=60000  # Delay between retries (ms)
# SCHEDULE_TIMEOUT=3600000  # Max time for a mirror operation (ms)
# SCHEDULE_AUTO_RETRY=true

# Update Detection
# SCHEDULE_ONLY_MIRROR_UPDATED=false  # Only mirror repos with updates
# SCHEDULE_UPDATE_INTERVAL=86400000  # Check for updates interval (ms)
# SCHEDULE_SKIP_RECENTLY_MIRRORED=true
# SCHEDULE_RECENT_THRESHOLD=3600000  # Skip if mirrored within this time (ms)

# Maintenance
# SCHEDULE_CLEANUP_BEFORE_MIRROR=false  # Run cleanup before mirroring

# Notifications
# SCHEDULE_NOTIFY_ON_FAILURE=true
# SCHEDULE_NOTIFY_ON_SUCCESS=false
# SCHEDULE_LOG_LEVEL=info  # Options: error, warn, info, debug
# SCHEDULE_TIMEZONE=UTC

# ===========================================
# DATABASE CLEANUP CONFIGURATION
# Automatic cleanup of old events and data
# ===========================================

# Basic Cleanup Settings
# CLEANUP_ENABLED=false
# CLEANUP_RETENTION_DAYS=7  # Days to keep events

# Repository Cleanup
# CLEANUP_DELETE_FROM_GITEA=false  # Delete repos from Gitea
# CLEANUP_DELETE_IF_NOT_IN_GITHUB=true  # Delete if not in GitHub
# CLEANUP_ORPHANED_REPO_ACTION=archive  # Options: skip, archive, delete
# CLEANUP_DRY_RUN=true  # Test mode without actual deletion

# Protected Repositories (comma-separated)
# CLEANUP_PROTECTED_REPOS=important-repo,critical-project

# Cleanup Execution
# CLEANUP_BATCH_SIZE=10
# CLEANUP_PAUSE_BETWEEN_DELETES=2000  # Pause between deletions (ms)

# ===========================================
# AUTHENTICATION CONFIGURATION
# ===========================================

# Header Authentication (for Reverse Proxy SSO)
# Enable automatic authentication via reverse proxy headers
# HEADER_AUTH_ENABLED=false
# HEADER_AUTH_USER_HEADER=X-Authentik-Username
# HEADER_AUTH_EMAIL_HEADER=X-Authentik-Email
# HEADER_AUTH_NAME_HEADER=X-Authentik-Name
# HEADER_AUTH_AUTO_PROVISION=false
# HEADER_AUTH_ALLOWED_DOMAINS=example.com,company.org

# ===========================================
# OPTIONAL FEATURES
# ===========================================

# TLS/SSL Configuration
# GITEA_SKIP_TLS_VERIFY=false  # WARNING: Only use for testing

<!-- gh-comment-id:3222947905 --> @hllshiro commented on GitHub (Aug 26, 2025): I used the docker-compose.yml and .env provided by the repository and encountered the same error. ```log gitea-mirror | # SERVER_ERROR: 467 | let { baseURL, params, query } = option || { gitea-mirror | 468 | query: {}, gitea-mirror | 469 | params: {}, gitea-mirror | 470 | baseURL: "" gitea-mirror | 471 | }; gitea-mirror | 472 | let basePath = url.startsWith("http") ? url.split("/").slice(0, 3).join("/") : baseURL || ""; gitea-mirror | ^ gitea-mirror | TypeError: undefined is not an object (evaluating 'url.startsWith') gitea-mirror | at getURL2 (/app/node_modules/@better-fetch/fetch/dist/index.js:472:18) gitea-mirror | at <anonymous> (/app/node_modules/@better-fetch/fetch/dist/index.js:521:16) gitea-mirror | ``` ```yaml services: gitea-mirror: image: ghcr.io/raylabshq/gitea-mirror:latest container_name: gitea-mirror restart: unless-stopped ports: - ${PORT:-4321}:4321 user: ${PUID:-1000}:${PGID:-1000} volumes: - ./data:/app/data environment: # For a complete list of all supported environment variables, see: # docs/ENVIRONMENT_VARIABLES.md or .env.example - NODE_ENV=production - DATABASE_URL=file:data/gitea-mirror.db - HOST=0.0.0.0 - PORT=4321 - BETTER_AUTH_URL=https://gitea-mirror.xxx.cn:9443 - BETTER_AUTH_SECRET=${BETTER_AUTH_SECRET:-your-secret-key-change-this-in-production} env_file: - .env healthcheck: test: - CMD - wget - --no-verbose - --tries=3 - --spider - http://localhost:4321/api/health interval: 30s timeout: 10s retries: 5 start_period: 15s networks: {} ``` ```ini # Gitea Mirror Configuration # Copy this to .env and update with your values # =========================================== # CORE CONFIGURATION # =========================================== # Application Configuration NODE_ENV=production HOST=0.0.0.0 PORT=4321 # Database Configuration # For self-hosted, SQLite is used by default DATABASE_URL=sqlite://data/gitea-mirror.db # Security # Generate with: openssl rand -base64 32 BETTER_AUTH_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx BETTER_AUTH_URL=https://gitea-mirror.xxx.cn:9443 # ENCRYPTION_SECRET=optional-encryption-key-for-token-encryption # Generate with: openssl rand -base64 48 # =========================================== # DOCKER CONFIGURATION (Optional) # =========================================== # Docker Registry Configuration DOCKER_REGISTRY=ghcr.io DOCKER_IMAGE=arunavo4/gitea-mirror DOCKER_TAG=latest # =========================================== # GITHUB CONFIGURATION # All settings can also be configured via web UI # =========================================== # Basic GitHub Settings # GITHUB_USERNAME=your-github-username # GITHUB_TOKEN=your-github-personal-access-token # GITHUB_TYPE=personal # Options: personal, organization # Repository Selection # PRIVATE_REPOSITORIES=false # PUBLIC_REPOSITORIES=true # INCLUDE_ARCHIVED=false # SKIP_FORKS=false # MIRROR_STARRED=false # STARRED_REPOS_ORG=starred # Organization name for starred repos # Organization Settings # MIRROR_ORGANIZATIONS=false # PRESERVE_ORG_STRUCTURE=false # ONLY_MIRROR_ORGS=false # Mirror Strategy # MIRROR_STRATEGY=preserve # Options: preserve, single-org, flat-user, mixed # Advanced GitHub Settings # SKIP_STARRED_ISSUES=false # Enable lightweight mode for starred repos # =========================================== # GITEA CONFIGURATION # All settings can also be configured via web UI # =========================================== # Basic Gitea Settings # GITEA_URL=http://gitea:3000 # GITEA_TOKEN=your-local-gitea-token # GITEA_USERNAME=your-local-gitea-username # GITEA_ORGANIZATION=github-mirrors # Default organization for single-org strategy # Repository Settings # GITEA_ORG_VISIBILITY=public # Options: public, private, limited, default # GITEA_MIRROR_INTERVAL=8h # Mirror sync interval (e.g., 30m, 1h, 8h, 24h) # GITEA_LFS=false # Enable LFS support # GITEA_CREATE_ORG=true # Auto-create organizations # GITEA_PRESERVE_VISIBILITY=false # Preserve GitHub repo visibility in Gitea # Template Settings (for using repository templates) # GITEA_TEMPLATE_OWNER=template-owner # GITEA_TEMPLATE_REPO=template-repo # Topic Settings # GITEA_ADD_TOPICS=true # Add topics to repositories # GITEA_TOPIC_PREFIX=gh- # Prefix for topics # Fork Handling # GITEA_FORK_STRATEGY=reference # Options: skip, reference, full-copy # =========================================== # MIRROR OPTIONS # Control what gets mirrored from GitHub # =========================================== # Release and Metadata # MIRROR_RELEASES=false # Mirror GitHub releases # MIRROR_WIKI=false # Mirror wiki content # Issue Tracking (requires MIRROR_METADATA=true) # MIRROR_METADATA=false # Master toggle for metadata mirroring # MIRROR_ISSUES=false # Mirror issues # MIRROR_PULL_REQUESTS=false # Mirror pull requests # MIRROR_LABELS=false # Mirror labels # MIRROR_MILESTONES=false # Mirror milestones # =========================================== # AUTOMATION CONFIGURATION # Schedule automatic mirroring # =========================================== # Basic Schedule Settings # SCHEDULE_ENABLED=false # SCHEDULE_INTERVAL=3600 # Interval in seconds or cron expression (e.g., "0 2 * * *") # DELAY=3600 # Legacy: same as SCHEDULE_INTERVAL, kept for backward compatibility # Execution Settings # SCHEDULE_CONCURRENT=false # Allow concurrent mirror operations # SCHEDULE_BATCH_SIZE=10 # Number of repos to process in parallel # SCHEDULE_PAUSE_BETWEEN_BATCHES=5000 # Pause between batches (ms) # Retry Configuration # SCHEDULE_RETRY_ATTEMPTS=3 # SCHEDULE_RETRY_DELAY=60000 # Delay between retries (ms) # SCHEDULE_TIMEOUT=3600000 # Max time for a mirror operation (ms) # SCHEDULE_AUTO_RETRY=true # Update Detection # SCHEDULE_ONLY_MIRROR_UPDATED=false # Only mirror repos with updates # SCHEDULE_UPDATE_INTERVAL=86400000 # Check for updates interval (ms) # SCHEDULE_SKIP_RECENTLY_MIRRORED=true # SCHEDULE_RECENT_THRESHOLD=3600000 # Skip if mirrored within this time (ms) # Maintenance # SCHEDULE_CLEANUP_BEFORE_MIRROR=false # Run cleanup before mirroring # Notifications # SCHEDULE_NOTIFY_ON_FAILURE=true # SCHEDULE_NOTIFY_ON_SUCCESS=false # SCHEDULE_LOG_LEVEL=info # Options: error, warn, info, debug # SCHEDULE_TIMEZONE=UTC # =========================================== # DATABASE CLEANUP CONFIGURATION # Automatic cleanup of old events and data # =========================================== # Basic Cleanup Settings # CLEANUP_ENABLED=false # CLEANUP_RETENTION_DAYS=7 # Days to keep events # Repository Cleanup # CLEANUP_DELETE_FROM_GITEA=false # Delete repos from Gitea # CLEANUP_DELETE_IF_NOT_IN_GITHUB=true # Delete if not in GitHub # CLEANUP_ORPHANED_REPO_ACTION=archive # Options: skip, archive, delete # CLEANUP_DRY_RUN=true # Test mode without actual deletion # Protected Repositories (comma-separated) # CLEANUP_PROTECTED_REPOS=important-repo,critical-project # Cleanup Execution # CLEANUP_BATCH_SIZE=10 # CLEANUP_PAUSE_BETWEEN_DELETES=2000 # Pause between deletions (ms) # =========================================== # AUTHENTICATION CONFIGURATION # =========================================== # Header Authentication (for Reverse Proxy SSO) # Enable automatic authentication via reverse proxy headers # HEADER_AUTH_ENABLED=false # HEADER_AUTH_USER_HEADER=X-Authentik-Username # HEADER_AUTH_EMAIL_HEADER=X-Authentik-Email # HEADER_AUTH_NAME_HEADER=X-Authentik-Name # HEADER_AUTH_AUTO_PROVISION=false # HEADER_AUTH_ALLOWED_DOMAINS=example.com,company.org # =========================================== # OPTIONAL FEATURES # =========================================== # TLS/SSL Configuration # GITEA_SKIP_TLS_VERIFY=false # WARNING: Only use for testing ```

kerem commented 2026-02-27 15:54:43 +03:00

Author

Owner

Copy link

@arunavo4 commented on GitHub (Aug 28, 2025):

Thanks for reporting this. Will test and fix this issue

<!-- gh-comment-id:3233824300 --> @arunavo4 commented on GitHub (Aug 28, 2025): Thanks for reporting this. Will test and fix this issue

kerem commented 2026-02-27 15:54:43 +03:00

Author

Owner

Copy link

@hllshiro commented on GitHub (Sep 3, 2025):

v3.5.0 has an update "Updates to auth url", is that related to this issue? I tested v3.5.1, the issue is still there.

<!-- gh-comment-id:3249834191 --> @hllshiro commented on GitHub (Sep 3, 2025): v3.5.0 has an update "Updates to auth url", is that related to this issue? I tested v3.5.1, the issue is still there.

kerem commented 2026-02-27 15:54:43 +03:00

Author

Owner

Copy link

@arunavo4 commented on GitHub (Sep 3, 2025):

Yea it's a partial fix, I will make a proper fix and test it this week and update here. Thank you for testing it.

<!-- gh-comment-id:3250094894 --> @arunavo4 commented on GitHub (Sep 3, 2025): Yea it's a partial fix, I will make a proper fix and test it this week and update here. Thank you for testing it.

kerem commented 2026-02-27 15:54:43 +03:00

Author

Owner

Copy link

@arunavo4 commented on GitHub (Oct 22, 2025):

@bxm156 @requ1Re @hllshiro please try the new v3.8.7 the better-auth library that was being used have solved some of the issues that was holding this off. Once you test it and let me know if it works now.

<!-- gh-comment-id:3432439117 --> @arunavo4 commented on GitHub (Oct 22, 2025): @bxm156 @requ1Re @hllshiro please try the new `v3.8.7` the better-auth library that was being used have solved some of the issues that was holding this off. Once you test it and let me know if it works now.

kerem commented 2026-02-27 15:54:43 +03:00

Author

Owner

Copy link

@hllshiro commented on GitHub (Oct 23, 2025):

I am currently out of town. I just remotely updated the container and conducted a simple test: it seems the issue still persists, and the error message is the same as before.

gitea-mirror  | # SERVER_ERROR:  467 |   let { baseURL, params, query } = option || {
gitea-mirror  | 468 |     query: {},
gitea-mirror  | 469 |     params: {},
gitea-mirror  | 470 |     baseURL: ""
gitea-mirror  | 471 |   };
gitea-mirror  | 472 |   let basePath = url.startsWith("http") ? url.split("/").slice(0, 3).join("/") : baseURL || "";
gitea-mirror  |                        ^
gitea-mirror  | TypeError: undefined is not an object (evaluating 'url.startsWith')
gitea-mirror  |       at getURL2 (/app/node_modules/@better-fetch/fetch/dist/index.js:472:18)
gitea-mirror  |       at <anonymous> (/app/node_modules/@better-fetch/fetch/dist/index.js:521:16)

The configuration I'm using is consistent with the previous one, which is listed above. Could you please check if there is any error in the configuration? Additionally, I'm using Nginx Proxy Manager for reverse proxy, and the advanced configuration is as shown below:

location / {
    proxy_pass http://172.17.0.1:4321;

    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
}

<!-- gh-comment-id:3434806999 --> @hllshiro commented on GitHub (Oct 23, 2025): I am currently out of town. I just remotely updated the container and conducted a simple test: it seems the issue still persists, and the error message is the same as before. ``` gitea-mirror | # SERVER_ERROR: 467 | let { baseURL, params, query } = option || { gitea-mirror | 468 | query: {}, gitea-mirror | 469 | params: {}, gitea-mirror | 470 | baseURL: "" gitea-mirror | 471 | }; gitea-mirror | 472 | let basePath = url.startsWith("http") ? url.split("/").slice(0, 3).join("/") : baseURL || ""; gitea-mirror | ^ gitea-mirror | TypeError: undefined is not an object (evaluating 'url.startsWith') gitea-mirror | at getURL2 (/app/node_modules/@better-fetch/fetch/dist/index.js:472:18) gitea-mirror | at <anonymous> (/app/node_modules/@better-fetch/fetch/dist/index.js:521:16) ``` The configuration I'm using is consistent with the previous one, which is listed above. Could you please check if there is any error in the configuration? Additionally, I'm using Nginx Proxy Manager for reverse proxy, and the advanced configuration is as shown below: ```nginx location / { proxy_pass http://172.17.0.1:4321; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; } ```

kerem commented 2026-02-27 15:54:43 +03:00

Author

Owner

Copy link

@arunavo4 commented on GitHub (Oct 23, 2025):

@hllshiro thanks for sharing I will have to try and replicate this. Else I think it will be better if I can do a docker-compose with authentik and then share a guide with it. that way everyone can have a starting point that works.

<!-- gh-comment-id:3435070952 --> @arunavo4 commented on GitHub (Oct 23, 2025): @hllshiro thanks for sharing I will have to try and replicate this. Else I think it will be better if I can do a docker-compose with authentik and then share a guide with it. that way everyone can have a starting point that works.

kerem commented 2026-02-27 15:54:43 +03:00

Author

Owner

Copy link

@arunavo4 commented on GitHub (Oct 26, 2025):

@hllshiro recently this issue #134 poped up and we were able to get it to work with authentik in v3.8.10 after a few updates. Give it a try once and see if it solves your issue.

Also, if possible do a fresh install.

<!-- gh-comment-id:3448551891 --> @arunavo4 commented on GitHub (Oct 26, 2025): @hllshiro recently this issue #134 poped up and we were able to get it to work with authentik in `v3.8.10` after a few updates. Give it a try once and see if it solves your issue. Also, if possible do a fresh install.

kerem commented 2026-02-27 15:54:43 +03:00

Author

Owner

Copy link

@arunavo4 commented on GitHub (Oct 26, 2025):

@bxm156 @requ1Re @hllshiro This has been finally fixed in v3.8.10 but you need to wipe your existing Authentik provider (create a new provider with a fresh
providerId) and add it again on v3.8.10 on a fresh install using Discover so the normalized config (with token endpoint) gets stored. confirmed in #122 and #134

<!-- gh-comment-id:3448579423 --> @arunavo4 commented on GitHub (Oct 26, 2025): @bxm156 @requ1Re @hllshiro This has been finally fixed in `v3.8.10` but you need to wipe your existing Authentik provider (create a new provider with a fresh providerId) and add it again on v3.8.10 on a fresh install using Discover so the normalized config (with token endpoint) gets stored. confirmed in #122 and #134

kerem commented 2026-02-27 15:54:43 +03:00

Author

Owner

Copy link

@hllshiro commented on GitHub (Oct 29, 2025):

I just updated to v3.8.10 and followed the instructions, removed the old configured oidc and re-added, and now I get another error

gitea-mirror  | 2025-10-29T14:07:31.922Z ERROR [Better Auth]: TypeError: undefined is not an object (evaluating 'keys.find')

<!-- gh-comment-id:3461738832 --> @hllshiro commented on GitHub (Oct 29, 2025): I just updated to v3.8.10 and followed the instructions, removed the old configured oidc and re-added, and now I get another error ``` gitea-mirror | 2025-10-29T14:07:31.922Z ERROR [Better Auth]: TypeError: undefined is not an object (evaluating 'keys.find') ```

kerem commented 2026-02-27 15:54:43 +03:00

Author

Owner

Copy link

@arunavo4 commented on GitHub (Nov 8, 2025):

@hllshiro You are using docker right? Can you try a few common things here

1. Verify Authentik's JWKS Endpoint is Accessible

From inside the gitea-mirror container, test the JWKS endpoint:

# Get a shell in the container
docker exec -it <container-name> sh

# Test JWKS endpoint (replace with your Authentik URL)
curl https://your-authentik.domain/application/o/<app-slug>/jwks/

Expected response format:

{
  "keys": [
    {
      "kty": "RSA",
      "kid": "...",
      "use": "sig",
      "n": "...",
      "e": "AQAB"
    }
  ]
}

If you get anything else (empty, 404, different format), that's the problem.

2. Authentik Provider Configuration

In Authentik, verify:

Provider type: Use OAuth2/OIDC (not Proxy or SAML)
Flow: Authorization Code flow (not Implicit if possible)
Scopes: At minimum include openid, email, profile
Application type: Web application

3. Authentik JWKS Known Issues

Some Authentik versions have JWKS-related quirks:

Option A - Use Application-Specific Issuer:

Issuer: https://authentik.domain/application/o//
Option B - Use Root Issuer (if Option A fails):

Issuer: https://authentik.domain/application/o//

P.S: Make sure to delete the docker volume and reinstall the whole app once more with correct config and also try and recreate the OIDC /SSO once more just to be sure. Since two people were seperately able to verify it works. I am not sure what else can be wrong with it. But your error message here points to not JSON Web Key Set most likely as thats what is matching when I did a quick search in better auth lib thats being used for OIDC/SSO.

<!-- gh-comment-id:3505759803 --> @arunavo4 commented on GitHub (Nov 8, 2025): @hllshiro You are using docker right? Can you try a few common things here #### 1. Verify Authentik's JWKS Endpoint is Accessible From inside the gitea-mirror container, test the JWKS endpoint: ```bash # Get a shell in the container docker exec -it <container-name> sh # Test JWKS endpoint (replace with your Authentik URL) curl https://your-authentik.domain/application/o/<app-slug>/jwks/ ``` Expected response format: ```bash { "keys": [ { "kty": "RSA", "kid": "...", "use": "sig", "n": "...", "e": "AQAB" } ] } ``` If you get anything else (empty, 404, different format), that's the problem. #### 2. Authentik Provider Configuration In Authentik, verify: Provider type: Use OAuth2/OIDC (not Proxy or SAML) Flow: Authorization Code flow (not Implicit if possible) Scopes: At minimum include openid, email, profile Application type: Web application #### 3. Authentik JWKS Known Issues Some Authentik versions have JWKS-related quirks: Option A - Use Application-Specific Issuer: Issuer: https://authentik.domain/application/o/<your-app-slug>/ Option B - Use Root Issuer (if Option A fails): Issuer: https://authentik.domain/application/o/<provider-slug>/ P.S: Make sure to delete the docker volume and reinstall the whole app once more with correct config and also try and recreate the OIDC /SSO once more just to be sure. Since two people were seperately able to verify it works. I am not sure what else can be wrong with it. But your error message here points to not JSON Web Key Set most likely as thats what is matching when I did a quick search in better auth lib thats being used for OIDC/SSO.

kerem commented 2026-02-27 15:54:44 +03:00

Author

Owner

Copy link

@hllshiro commented on GitHub (Nov 17, 2025):

@hllshiro You are using docker right? Can you try a few common things here

1. Verify Authentik's JWKS Endpoint is Accessible

From inside the gitea-mirror container, test the JWKS endpoint:

Get a shell in the container

docker exec -it sh

Test JWKS endpoint (replace with your Authentik URL)

curl https://your-authentik.domain/application/o//jwks/
Expected response format:

{
"keys": [
{
"kty": "RSA",
"kid": "...",
"use": "sig",
"n": "...",
"e": "AQAB"
}
]
}
If you get anything else (empty, 404, different format), that's the problem.

2. Authentik Provider Configuration

In Authentik, verify:

Provider type: Use OAuth2/OIDC (not Proxy or SAML) Flow: Authorization Code flow (not Implicit if possible) Scopes: At minimum include openid, email, profile Application type: Web application

3. Authentik JWKS Known Issues

Some Authentik versions have JWKS-related quirks:

Option A - Use Application-Specific Issuer:

Issuer: https://authentik.domain/application/o// Option B - Use Root Issuer (if Option A fails):

Issuer: https://authentik.domain/application/o//

P.S: Make sure to delete the docker volume and reinstall the whole app once more with correct config and also try and recreate the OIDC /SSO once more just to be sure. Since two people were seperately able to verify it works. I am not sure what else can be wrong with it. But your error message here points to not JSON Web Key Set most likely as thats what is matching when I did a quick search in better auth lib thats being used for OIDC/SSO.

Sorry for the late reply—I’ve been swamped with moving recently. I’ve run the tests as you suggested, and just as you suspected, the /jwks endpoint returned empty data {}. After checking (I compared it with other providers), I confirmed the issue was a missing signing key. Everything works perfectly now after proper configuration. Thank you so much for your help and detailed guidance!
If you need any additional verification or have further checks to suggest, feel free to let me know—I’m happy to run more tests to ensure stability.

<!-- gh-comment-id:3541518522 --> @hllshiro commented on GitHub (Nov 17, 2025): > [@hllshiro](https://github.com/hllshiro) You are using docker right? Can you try a few common things here > > #### 1. Verify Authentik's JWKS Endpoint is Accessible > From inside the gitea-mirror container, test the JWKS endpoint: > > # Get a shell in the container > docker exec -it <container-name> sh > > # Test JWKS endpoint (replace with your Authentik URL) > curl https://your-authentik.domain/application/o/<app-slug>/jwks/ > Expected response format: > > { > "keys": [ > { > "kty": "RSA", > "kid": "...", > "use": "sig", > "n": "...", > "e": "AQAB" > } > ] > } > If you get anything else (empty, 404, different format), that's the problem. > > #### 2. Authentik Provider Configuration > In Authentik, verify: > > Provider type: Use OAuth2/OIDC (not Proxy or SAML) Flow: Authorization Code flow (not Implicit if possible) Scopes: At minimum include openid, email, profile Application type: Web application > > #### 3. Authentik JWKS Known Issues > Some Authentik versions have JWKS-related quirks: > > Option A - Use Application-Specific Issuer: > > Issuer: https://authentik.domain/application/o// Option B - Use Root Issuer (if Option A fails): > > Issuer: https://authentik.domain/application/o// > > P.S: Make sure to delete the docker volume and reinstall the whole app once more with correct config and also try and recreate the OIDC /SSO once more just to be sure. Since two people were seperately able to verify it works. I am not sure what else can be wrong with it. But your error message here points to not JSON Web Key Set most likely as thats what is matching when I did a quick search in better auth lib thats being used for OIDC/SSO. Sorry for the late reply—I’ve been swamped with moving recently. I’ve run the tests as you suggested, and just as you suspected, the /jwks endpoint returned empty data {}. After checking (I compared it with other providers), I confirmed the issue was a missing signing key. Everything works perfectly now after proper configuration. Thank you so much for your help and detailed guidance! If you need any additional verification or have further checks to suggest, feel free to let me know—I’m happy to run more tests to ensure stability.

kerem commented 2026-02-27 15:54:44 +03:00

Author

Owner

Copy link

@arunavo4 commented on GitHub (Nov 17, 2025):

Perfect. I think I will take these few OIDC issues and make the docs better. Closing this for now.

<!-- gh-comment-id:3542327552 --> @arunavo4 commented on GitHub (Nov 17, 2025): Perfect. I think I will take these few OIDC issues and make the docs better. Closing this for now.

kerem referenced this issue 2026-02-27 15:55:10 +03:00

[PR #38] [MERGED] Create docker-compose.alt.yml #107

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix/mirror-sync-bugs-262-263-264

v3.15.5

v3.15.4

v3.15.3

v3.15.2

v3.15.1

v3.15.0

v3.14.2

v3.14.1

v3.14.0

v3.13.4

v3.13.3

v3.13.2

v3.13.1

v3.13.0

v3.12.5

v3.12.4

v3.12.3

v3.12.2

v3.12.1

v3.12.0

v3.11.0

v3.10.1

v3.10.0

v3.9.6

v3.9.5

v3.9.4

v3.9.3

v3.9.2

v3.9.0

v3.8.11

v3.8.10

v3.8.9

v3.8.8

v3.8.7

v3.8.6

v3.8.5

v3.8.4

v3.8.3

v3.8.2

v3.8.1

v3.8.0

v3-sso

v3.7.2

v3.7.1

v3.7.0

v3.6.0

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.0

v3.3.0

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.1

v3.1.0

v3.0.1

v3.0.0

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.18.0

v2.17.0

v2.16.3

v2.16.2

v2.16.1

v2.16.0

v2.15.0

v2.14.0

v2.13.2

v2.13.1

v2.13.0

v2.12.0

v2.11.2

v2.11.1

v2.11.0

v2.10.0

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.0

v2.7.0

v2.6.0

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.1.0

v2.0.0

v1.0.0

Labels

Clear labels   

bug

  

documentation

  

enhancement

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

question

No labels

bug

documentation

enhancement

help wanted

pull-request

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/gitea-mirror#38

No description provided.