gitea-nostr-auth

An OAuth2/OIDC provider that enables Nostr NIP-07 browser extension authentication for Gitea. Allows users to sign in to Gitea using their Nostr identity.

Features

• NIP-07 Authentication: Uses browser extensions (Alby, nos2x, etc.) for signing
• OAuth2/OIDC Compatible: Works as a standard OpenID Connect provider for Gitea
• Auto-Registration: Automatically creates Gitea accounts for new Nostr users
• Profile Fetching: Fetches user profiles (name, picture, NIP-05) from Nostr relays
• Smart Relay Discovery: First fetches user's NIP-65 relay list, then queries those relays for profile
• Caching: 24-hour cache for relay lists and profiles to minimize relay queries

Quick Start

1. Build

go build ./cmd/nostr-oauth2-server

2. Configure

Copy config.example.yaml to config.yaml and update:

server:
  port: 8080
  base_url: "https://nostr-auth.example.com"

oauth2:
  clients:
    - client_id: "gitea"
      client_secret: "your-secure-secret"  # Generate with: openssl rand -hex 32
      redirect_uris:
        - "https://gitea.example.com/user/oauth2/nostr/callback"

3. Run

./nostr-oauth2-server -config config.yaml

Or with environment variables:

PORT=8080 \
BASE_URL=https://nostr-auth.example.com \
OAUTH2_CLIENT_ID=gitea \
OAUTH2_CLIENT_SECRET=your-secure-secret \
OAUTH2_REDIRECT_URIS=https://gitea.example.com/user/oauth2/nostr/callback \
./nostr-oauth2-server

4. Configure Gitea

Add the OAuth2 authentication source:

gitea admin auth add-oauth \
  --name "Nostr" \
  --provider openidConnect \
  --key "gitea" \
  --secret "your-secure-secret" \
  --auto-discover-url "https://nostr-auth.example.com/.well-known/openid-configuration"

Enable auto-registration in Gitea's app.ini:

[service]
DISABLE_REGISTRATION = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = true

Docker

docker build -t nostr-oauth2-server .
docker run -p 8080:8080 -v $(pwd)/config.yaml:/app/config.yaml nostr-oauth2-server

How It Works

Authentication Flow

1. User clicks "Login with Nostr" on Gitea
2. Gitea redirects to nostr-oauth2-server's /authorize endpoint
3. Login page uses window.nostr (NIP-07) to get pubkey and sign a challenge
4. Server verifies signature and issues an OAuth2 authorization code
5. Gitea exchanges code for access token and fetches user info
6. User is logged in (or account is created if new)

Profile Fetching

When Gitea requests user info, the server:

1. Fetches NIP-65 relay list (kind 10002) from fallback relays to find user's preferred relays
2. Queries user's read relays + fallbacks for their profile (kind 0)
3. Extracts profile data: name, display_name, picture, NIP-05, website, etc.
4. Caches results for 24 hours to minimize relay queries

This ensures profiles are found even if only stored on the user's preferred relays.

Fallback Relays

Default relays used for initial queries (configurable):

• wss://relay.nostr.band/
• wss://nostr.wine/
• wss://nos.lol/
• wss://relay.primal.net/
• wss://purplepag.es/

API Endpoints

Endpoint	Description
/.well-known/openid-configuration	OIDC discovery document
/authorize	OAuth2 authorization (shows login page)
/verify	Verify signed Nostr event
/token	Exchange auth code for access token
/userinfo	Get user profile (npub, username, email)

Security

• Challenges are single-use and expire after 60 seconds
• Event signatures are verified using secp256k1
• Timestamps must be within a 60-second window
• HTTPS required in production

License

This is free and unencumbered software released into the public domain (Unlicense).