In my Adding OAuth Authentication to an Nginx Website article yesterday, I forgot to include one additional configuration setting that I needed to get Vouch to fully work.

With the default example Gitea configuration, I found that I was still getting Unauthorized errors. I had to watch the network calls to get access to the full error message. The problem was that even though I was authenticated, I was not actually authorized. I had to chose to either enable the allowAllUsers setting, or I needed to add specific users to the whitelist.

Since there is only one user for my Gitea site, which I chose probably wouldn't have made a lot of difference. Even so, using a specific whitelist was more appealing to me, so I updated the vouch section of the config.yml file accordingly:

vouch:
  domains:
  - example.com

  # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at Gitea
  # allowAllUsers: true

  # cookie:
    # allow the jwt/cookie to be set into http://yourdomain.com (defaults to true, requiring https://yourdomain.com) 
    # secure: false
    # vouch.cookie.domain must be set when enabling allowAllUsers
    # domain: yourdomain.com

  whiteList:
  - my-user-name

The user name was sufficient; I did not need to include the e-mail address associated with that user name. The initial error messages implied that I did, but my-user-name@mail.example.com did not work, while just using my-user-name did.