Refactor auth package (#17962)

9 files changed, 3416 insertions, 0 deletions

diff --git a/routers/web/auth/2fa.go b/routers/web/auth/2fa.go
new file mode 100644
index 0000000000..c61922cd9d
--- /dev/null
+++ b/routers/web/auth/2fa.go
@@ -0,0 +1,166 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+	"errors"
+	"net/http"
+
+	"code.gitea.io/gitea/models/auth"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/services/externalaccount"
+	"code.gitea.io/gitea/services/forms"
+)
+
+var (
+	tplTwofa        base.TplName = "user/auth/twofa"
+	tplTwofaScratch base.TplName = "user/auth/twofa_scratch"
+)
+
+// TwoFactor shows the user a two-factor authentication page.
+func TwoFactor(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("twofa")
+
+	// Check auto-login.
+	if checkAutoLogin(ctx) {
+		return
+	}
+
+	// Ensure user is in a 2FA session.
+	if ctx.Session.Get("twofaUid") == nil {
+		ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
+		return
+	}
+
+	ctx.HTML(http.StatusOK, tplTwofa)
+}
+
+// TwoFactorPost validates a user's two-factor authentication token.
+func TwoFactorPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.TwoFactorAuthForm)
+	ctx.Data["Title"] = ctx.Tr("twofa")
+
+	// Ensure user is in a 2FA session.
+	idSess := ctx.Session.Get("twofaUid")
+	if idSess == nil {
+		ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
+		return
+	}
+
+	id := idSess.(int64)
+	twofa, err := auth.GetTwoFactorByUID(id)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+
+	// Validate the passcode with the stored TOTP secret.
+	ok, err := twofa.ValidateTOTP(form.Passcode)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+
+	if ok && twofa.LastUsedPasscode != form.Passcode {
+		remember := ctx.Session.Get("twofaRemember").(bool)
+		u, err := user_model.GetUserByID(id)
+		if err != nil {
+			ctx.ServerError("UserSignIn", err)
+			return
+		}
+
+		if ctx.Session.Get("linkAccount") != nil {
+			err = externalaccount.LinkAccountFromStore(ctx.Session, u)
+			if err != nil {
+				ctx.ServerError("UserSignIn", err)
+				return
+			}
+		}
+
+		twofa.LastUsedPasscode = form.Passcode
+		if err = auth.UpdateTwoFactor(twofa); err != nil {
+			ctx.ServerError("UserSignIn", err)
+			return
+		}
+
+		handleSignIn(ctx, u, remember)
+		return
+	}
+
+	ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplTwofa, forms.TwoFactorAuthForm{})
+}
+
+// TwoFactorScratch shows the scratch code form for two-factor authentication.
+func TwoFactorScratch(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("twofa_scratch")
+
+	// Check auto-login.
+	if checkAutoLogin(ctx) {
+		return
+	}
+
+	// Ensure user is in a 2FA session.
+	if ctx.Session.Get("twofaUid") == nil {
+		ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
+		return
+	}
+
+	ctx.HTML(http.StatusOK, tplTwofaScratch)
+}
+
+// TwoFactorScratchPost validates and invalidates a user's two-factor scratch token.
+func TwoFactorScratchPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.TwoFactorScratchAuthForm)
+	ctx.Data["Title"] = ctx.Tr("twofa_scratch")
+
+	// Ensure user is in a 2FA session.
+	idSess := ctx.Session.Get("twofaUid")
+	if idSess == nil {
+		ctx.ServerError("UserSignIn", errors.New("not in 2FA session"))
+		return
+	}
+
+	id := idSess.(int64)
+	twofa, err := auth.GetTwoFactorByUID(id)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+
+	// Validate the passcode with the stored TOTP secret.
+	if twofa.VerifyScratchToken(form.Token) {
+		// Invalidate the scratch token.
+		_, err = twofa.GenerateScratchToken()
+		if err != nil {
+			ctx.ServerError("UserSignIn", err)
+			return
+		}
+		if err = auth.UpdateTwoFactor(twofa); err != nil {
+			ctx.ServerError("UserSignIn", err)
+			return
+		}
+
+		remember := ctx.Session.Get("twofaRemember").(bool)
+		u, err := user_model.GetUserByID(id)
+		if err != nil {
+			ctx.ServerError("UserSignIn", err)
+			return
+		}
+
+		handleSignInFull(ctx, u, remember, false)
+		if ctx.Written() {
+			return
+		}
+		ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used"))
+		ctx.Redirect(setting.AppSubURL + "/user/settings/security")
+		return
+	}
+
+	ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplTwofaScratch, forms.TwoFactorScratchAuthForm{})
+}
diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
new file mode 100644
index 0000000000..b9765abfb5
--- /dev/null
+++ b/routers/web/auth/auth.go
@@ -0,0 +1,795 @@
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/models/db"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/eventsource"
+	"code.gitea.io/gitea/modules/hcaptcha"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/password"
+	"code.gitea.io/gitea/modules/recaptcha"
+	"code.gitea.io/gitea/modules/session"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/modules/web/middleware"
+	"code.gitea.io/gitea/routers/utils"
+	auth_service "code.gitea.io/gitea/services/auth"
+	"code.gitea.io/gitea/services/auth/source/oauth2"
+	"code.gitea.io/gitea/services/externalaccount"
+	"code.gitea.io/gitea/services/forms"
+	"code.gitea.io/gitea/services/mailer"
+
+	"github.com/markbates/goth"
+)
+
+const (
+	// tplSignIn template for sign in page
+	tplSignIn base.TplName = "user/auth/signin"
+	// tplSignUp template path for sign up page
+	tplSignUp base.TplName = "user/auth/signup"
+	// TplActivate template path for activate user
+	TplActivate base.TplName = "user/auth/activate"
+)
+
+// AutoSignIn reads cookie and try to auto-login.
+func AutoSignIn(ctx *context.Context) (bool, error) {
+	if !db.HasEngine {
+		return false, nil
+	}
+
+	uname := ctx.GetCookie(setting.CookieUserName)
+	if len(uname) == 0 {
+		return false, nil
+	}
+
+	isSucceed := false
+	defer func() {
+		if !isSucceed {
+			log.Trace("auto-login cookie cleared: %s", uname)
+			ctx.DeleteCookie(setting.CookieUserName)
+			ctx.DeleteCookie(setting.CookieRememberName)
+		}
+	}()
+
+	u, err := user_model.GetUserByName(uname)
+	if err != nil {
+		if !user_model.IsErrUserNotExist(err) {
+			return false, fmt.Errorf("GetUserByName: %v", err)
+		}
+		return false, nil
+	}
+
+	if val, ok := ctx.GetSuperSecureCookie(
+		base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name {
+		return false, nil
+	}
+
+	isSucceed = true
+
+	if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+		return false, fmt.Errorf("unable to RegenerateSession: Error: %w", err)
+	}
+
+	// Set session IDs
+	if err := ctx.Session.Set("uid", u.ID); err != nil {
+		return false, err
+	}
+	if err := ctx.Session.Set("uname", u.Name); err != nil {
+		return false, err
+	}
+	if err := ctx.Session.Release(); err != nil {
+		return false, err
+	}
+
+	if err := resetLocale(ctx, u); err != nil {
+		return false, err
+	}
+
+	middleware.DeleteCSRFCookie(ctx.Resp)
+	return true, nil
+}
+
+func resetLocale(ctx *context.Context, u *user_model.User) error {
+	// Language setting of the user overwrites the one previously set
+	// If the user does not have a locale set, we save the current one.
+	if len(u.Language) == 0 {
+		u.Language = ctx.Locale.Language()
+		if err := user_model.UpdateUserCols(db.DefaultContext, u, "language"); err != nil {
+			return err
+		}
+	}
+
+	middleware.SetLocaleCookie(ctx.Resp, u.Language, 0)
+
+	if ctx.Locale.Language() != u.Language {
+		ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
+	}
+
+	return nil
+}
+
+func checkAutoLogin(ctx *context.Context) bool {
+	// Check auto-login
+	isSucceed, err := AutoSignIn(ctx)
+	if err != nil {
+		ctx.ServerError("AutoSignIn", err)
+		return true
+	}
+
+	redirectTo := ctx.FormString("redirect_to")
+	if len(redirectTo) > 0 {
+		middleware.SetRedirectToCookie(ctx.Resp, redirectTo)
+	} else {
+		redirectTo = ctx.GetCookie("redirect_to")
+	}
+
+	if isSucceed {
+		middleware.DeleteRedirectToCookie(ctx.Resp)
+		ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL))
+		return true
+	}
+
+	return false
+}
+
+// SignIn render sign in page
+func SignIn(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("sign_in")
+
+	// Check auto-login
+	if checkAutoLogin(ctx) {
+		return
+	}
+
+	orderedOAuth2Names, oauth2Providers, err := oauth2.GetActiveOAuth2Providers()
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+	ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names
+	ctx.Data["OAuth2Providers"] = oauth2Providers
+	ctx.Data["Title"] = ctx.Tr("sign_in")
+	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"
+	ctx.Data["PageIsSignIn"] = true
+	ctx.Data["PageIsLogin"] = true
+	ctx.Data["EnableSSPI"] = auth.IsSSPIEnabled()
+
+	ctx.HTML(http.StatusOK, tplSignIn)
+}
+
+// SignInPost response for sign in request
+func SignInPost(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("sign_in")
+
+	orderedOAuth2Names, oauth2Providers, err := oauth2.GetActiveOAuth2Providers()
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+	ctx.Data["OrderedOAuth2Names"] = orderedOAuth2Names
+	ctx.Data["OAuth2Providers"] = oauth2Providers
+	ctx.Data["Title"] = ctx.Tr("sign_in")
+	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login"
+	ctx.Data["PageIsSignIn"] = true
+	ctx.Data["PageIsLogin"] = true
+	ctx.Data["EnableSSPI"] = auth.IsSSPIEnabled()
+
+	if ctx.HasError() {
+		ctx.HTML(http.StatusOK, tplSignIn)
+		return
+	}
+
+	form := web.GetForm(ctx).(*forms.SignInForm)
+	u, source, err := auth_service.UserSignIn(form.UserName, form.Password)
+	if err != nil {
+		if user_model.IsErrUserNotExist(err) {
+			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplSignIn, &form)
+			log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
+		} else if user_model.IsErrEmailAlreadyUsed(err) {
+			ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignIn, &form)
+			log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
+		} else if user_model.IsErrUserProhibitLogin(err) {
+			log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
+			ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+			ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
+		} else if user_model.IsErrUserInactive(err) {
+			if setting.Service.RegisterEmailConfirm {
+				ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
+				ctx.HTML(http.StatusOK, TplActivate)
+			} else {
+				log.Info("Failed authentication attempt for %s from %s: %v", form.UserName, ctx.RemoteAddr(), err)
+				ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+				ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
+			}
+		} else {
+			ctx.ServerError("UserSignIn", err)
+		}
+		return
+	}
+
+	// Now handle 2FA:
+
+	// First of all if the source can skip local two fa we're done
+	if skipper, ok := source.Cfg.(auth_service.LocalTwoFASkipper); ok && skipper.IsSkipLocalTwoFA() {
+		handleSignIn(ctx, u, form.Remember)
+		return
+	}
+
+	// If this user is enrolled in 2FA TOTP, we can't sign the user in just yet.
+	// Instead, redirect them to the 2FA authentication page.
+	hasTOTPtwofa, err := auth.HasTwoFactorByUID(u.ID)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+
+	// Check if the user has u2f registration
+	hasU2Ftwofa, err := auth.HasU2FRegistrationsByUID(u.ID)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+
+	if !hasTOTPtwofa && !hasU2Ftwofa {
+		// No two factor auth configured we can sign in the user
+		handleSignIn(ctx, u, form.Remember)
+		return
+	}
+
+	if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+		ctx.ServerError("UserSignIn: Unable to set regenerate session", err)
+		return
+	}
+
+	// User will need to use 2FA TOTP or U2F, save data
+	if err := ctx.Session.Set("twofaUid", u.ID); err != nil {
+		ctx.ServerError("UserSignIn: Unable to set twofaUid in session", err)
+		return
+	}
+
+	if err := ctx.Session.Set("twofaRemember", form.Remember); err != nil {
+		ctx.ServerError("UserSignIn: Unable to set twofaRemember in session", err)
+		return
+	}
+
+	if hasTOTPtwofa {
+		// User will need to use U2F, save data
+		if err := ctx.Session.Set("totpEnrolled", u.ID); err != nil {
+			ctx.ServerError("UserSignIn: Unable to set u2fEnrolled in session", err)
+			return
+		}
+	}
+
+	if err := ctx.Session.Release(); err != nil {
+		ctx.ServerError("UserSignIn: Unable to save session", err)
+		return
+	}
+
+	// If we have U2F redirect there first
+	if hasU2Ftwofa {
+		ctx.Redirect(setting.AppSubURL + "/user/u2f")
+		return
+	}
+
+	// Fallback to 2FA
+	ctx.Redirect(setting.AppSubURL + "/user/two_factor")
+}
+
+// This handles the final part of the sign-in process of the user.
+func handleSignIn(ctx *context.Context, u *user_model.User, remember bool) {
+	redirect := handleSignInFull(ctx, u, remember, true)
+	if ctx.Written() {
+		return
+	}
+	ctx.Redirect(redirect)
+}
+
+func handleSignInFull(ctx *context.Context, u *user_model.User, remember bool, obeyRedirect bool) string {
+	if remember {
+		days := 86400 * setting.LogInRememberDays
+		ctx.SetCookie(setting.CookieUserName, u.Name, days)
+		ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
+			setting.CookieRememberName, u.Name, days)
+	}
+
+	if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+		ctx.ServerError("RegenerateSession", err)
+		return setting.AppSubURL + "/"
+	}
+
+	// Delete the openid, 2fa and linkaccount data
+	_ = ctx.Session.Delete("openid_verified_uri")
+	_ = ctx.Session.Delete("openid_signin_remember")
+	_ = ctx.Session.Delete("openid_determined_email")
+	_ = ctx.Session.Delete("openid_determined_username")
+	_ = ctx.Session.Delete("twofaUid")
+	_ = ctx.Session.Delete("twofaRemember")
+	_ = ctx.Session.Delete("u2fChallenge")
+	_ = ctx.Session.Delete("linkAccount")
+	if err := ctx.Session.Set("uid", u.ID); err != nil {
+		log.Error("Error setting uid %d in session: %v", u.ID, err)
+	}
+	if err := ctx.Session.Set("uname", u.Name); err != nil {
+		log.Error("Error setting uname %s session: %v", u.Name, err)
+	}
+	if err := ctx.Session.Release(); err != nil {
+		log.Error("Unable to store session: %v", err)
+	}
+
+	// Language setting of the user overwrites the one previously set
+	// If the user does not have a locale set, we save the current one.
+	if len(u.Language) == 0 {
+		u.Language = ctx.Locale.Language()
+		if err := user_model.UpdateUserCols(db.DefaultContext, u, "language"); err != nil {
+			ctx.ServerError("UpdateUserCols Language", fmt.Errorf("Error updating user language [user: %d, locale: %s]", u.ID, u.Language))
+			return setting.AppSubURL + "/"
+		}
+	}
+
+	middleware.SetLocaleCookie(ctx.Resp, u.Language, 0)
+
+	if ctx.Locale.Language() != u.Language {
+		ctx.Locale = middleware.Locale(ctx.Resp, ctx.Req)
+	}
+
+	// Clear whatever CSRF has right now, force to generate a new one
+	middleware.DeleteCSRFCookie(ctx.Resp)
+
+	// Register last login
+	u.SetLastLogin()
+	if err := user_model.UpdateUserCols(db.DefaultContext, u, "last_login_unix"); err != nil {
+		ctx.ServerError("UpdateUserCols", err)
+		return setting.AppSubURL + "/"
+	}
+
+	if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) {
+		middleware.DeleteRedirectToCookie(ctx.Resp)
+		if obeyRedirect {
+			ctx.RedirectToFirst(redirectTo)
+		}
+		return redirectTo
+	}
+
+	if obeyRedirect {
+		ctx.Redirect(setting.AppSubURL + "/")
+	}
+	return setting.AppSubURL + "/"
+}
+
+func getUserName(gothUser *goth.User) string {
+	switch setting.OAuth2Client.Username {
+	case setting.OAuth2UsernameEmail:
+		return strings.Split(gothUser.Email, "@")[0]
+	case setting.OAuth2UsernameNickname:
+		return gothUser.NickName
+	default: // OAuth2UsernameUserid
+		return gothUser.UserID
+	}
+}
+
+// HandleSignOut resets the session and sets the cookies
+func HandleSignOut(ctx *context.Context) {
+	_ = ctx.Session.Flush()
+	_ = ctx.Session.Destroy(ctx.Resp, ctx.Req)
+	ctx.DeleteCookie(setting.CookieUserName)
+	ctx.DeleteCookie(setting.CookieRememberName)
+	middleware.DeleteCSRFCookie(ctx.Resp)
+	middleware.DeleteLocaleCookie(ctx.Resp)
+	middleware.DeleteRedirectToCookie(ctx.Resp)
+}
+
+// SignOut sign out from login status
+func SignOut(ctx *context.Context) {
+	if ctx.User != nil {
+		eventsource.GetManager().SendMessageBlocking(ctx.User.ID, &eventsource.Event{
+			Name: "logout",
+			Data: ctx.Session.ID(),
+		})
+	}
+	HandleSignOut(ctx)
+	ctx.Redirect(setting.AppSubURL + "/")
+}
+
+// SignUp render the register page
+func SignUp(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("sign_up")
+
+	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/sign_up"
+
+	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
+	ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
+	ctx.Data["Captcha"] = context.GetImageCaptcha()
+	ctx.Data["CaptchaType"] = setting.Service.CaptchaType
+	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
+	ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
+	ctx.Data["PageIsSignUp"] = true
+
+	//Show Disabled Registration message if DisableRegistration or AllowOnlyExternalRegistration options are true
+	ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration || setting.Service.AllowOnlyExternalRegistration
+
+	ctx.HTML(http.StatusOK, tplSignUp)
+}
+
+// SignUpPost response for sign up information submission
+func SignUpPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.RegisterForm)
+	ctx.Data["Title"] = ctx.Tr("sign_up")
+
+	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/sign_up"
+
+	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
+	ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
+	ctx.Data["Captcha"] = context.GetImageCaptcha()
+	ctx.Data["CaptchaType"] = setting.Service.CaptchaType
+	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
+	ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
+	ctx.Data["PageIsSignUp"] = true
+
+	//Permission denied if DisableRegistration or AllowOnlyExternalRegistration options are true
+	if setting.Service.DisableRegistration || setting.Service.AllowOnlyExternalRegistration {
+		ctx.Error(http.StatusForbidden)
+		return
+	}
+
+	if ctx.HasError() {
+		ctx.HTML(http.StatusOK, tplSignUp)
+		return
+	}
+
+	if setting.Service.EnableCaptcha {
+		var valid bool
+		var err error
+		switch setting.Service.CaptchaType {
+		case setting.ImageCaptcha:
+			valid = context.GetImageCaptcha().VerifyReq(ctx.Req)
+		case setting.ReCaptcha:
+			valid, err = recaptcha.Verify(ctx, form.GRecaptchaResponse)
+		case setting.HCaptcha:
+			valid, err = hcaptcha.Verify(ctx, form.HcaptchaResponse)
+		default:
+			ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))
+			return
+		}
+		if err != nil {
+			log.Debug("%s", err.Error())
+		}
+
+		if !valid {
+			ctx.Data["Err_Captcha"] = true
+			ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplSignUp, &form)
+			return
+		}
+	}
+
+	if !form.IsEmailDomainAllowed() {
+		ctx.RenderWithErr(ctx.Tr("auth.email_domain_blacklisted"), tplSignUp, &form)
+		return
+	}
+
+	if form.Password != form.Retype {
+		ctx.Data["Err_Password"] = true
+		ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplSignUp, &form)
+		return
+	}
+	if len(form.Password) < setting.MinPasswordLength {
+		ctx.Data["Err_Password"] = true
+		ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplSignUp, &form)
+		return
+	}
+	if !password.IsComplexEnough(form.Password) {
+		ctx.Data["Err_Password"] = true
+		ctx.RenderWithErr(password.BuildComplexityError(ctx), tplSignUp, &form)
+		return
+	}
+	pwned, err := password.IsPwned(ctx, form.Password)
+	if pwned {
+		errMsg := ctx.Tr("auth.password_pwned")
+		if err != nil {
+			log.Error(err.Error())
+			errMsg = ctx.Tr("auth.password_pwned_err")
+		}
+		ctx.Data["Err_Password"] = true
+		ctx.RenderWithErr(errMsg, tplSignUp, &form)
+		return
+	}
+
+	u := &user_model.User{
+		Name:         form.UserName,
+		Email:        form.Email,
+		Passwd:       form.Password,
+		IsActive:     !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
+		IsRestricted: setting.Service.DefaultUserIsRestricted,
+	}
+
+	if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, false) {
+		// error already handled
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("auth.sign_up_successful"))
+	handleSignIn(ctx, u, false)
+}
+
+// createAndHandleCreatedUser calls createUserInContext and
+// then handleUserCreated.
+func createAndHandleCreatedUser(ctx *context.Context, tpl base.TplName, form interface{}, u *user_model.User, gothUser *goth.User, allowLink bool) bool {
+	if !createUserInContext(ctx, tpl, form, u, gothUser, allowLink) {
+		return false
+	}
+	return handleUserCreated(ctx, u, gothUser)
+}
+
+// createUserInContext creates a user and handles errors within a given context.
+// Optionally a template can be specified.
+func createUserInContext(ctx *context.Context, tpl base.TplName, form interface{}, u *user_model.User, gothUser *goth.User, allowLink bool) (ok bool) {
+	if err := user_model.CreateUser(u); err != nil {
+		if allowLink && (user_model.IsErrUserAlreadyExist(err) || user_model.IsErrEmailAlreadyUsed(err)) {
+			if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingAuto {
+				var user *user_model.User
+				user = &user_model.User{Name: u.Name}
+				hasUser, err := user_model.GetUser(user)
+				if !hasUser || err != nil {
+					user = &user_model.User{Email: u.Email}
+					hasUser, err = user_model.GetUser(user)
+					if !hasUser || err != nil {
+						ctx.ServerError("UserLinkAccount", err)
+						return
+					}
+				}
+
+				// TODO: probably we should respect 'remember' user's choice...
+				linkAccount(ctx, user, *gothUser, true)
+				return // user is already created here, all redirects are handled
+			} else if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingLogin {
+				showLinkingLogin(ctx, *gothUser)
+				return // user will be created only after linking login
+			}
+		}
+
+		// handle error without template
+		if len(tpl) == 0 {
+			ctx.ServerError("CreateUser", err)
+			return
+		}
+
+		// handle error with template
+		switch {
+		case user_model.IsErrUserAlreadyExist(err):
+			ctx.Data["Err_UserName"] = true
+			ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tpl, form)
+		case user_model.IsErrEmailAlreadyUsed(err):
+			ctx.Data["Err_Email"] = true
+			ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tpl, form)
+		case user_model.IsErrEmailInvalid(err):
+			ctx.Data["Err_Email"] = true
+			ctx.RenderWithErr(ctx.Tr("form.email_invalid"), tpl, form)
+		case db.IsErrNameReserved(err):
+			ctx.Data["Err_UserName"] = true
+			ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(db.ErrNameReserved).Name), tpl, form)
+		case db.IsErrNamePatternNotAllowed(err):
+			ctx.Data["Err_UserName"] = true
+			ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(db.ErrNamePatternNotAllowed).Pattern), tpl, form)
+		case db.IsErrNameCharsNotAllowed(err):
+			ctx.Data["Err_UserName"] = true
+			ctx.RenderWithErr(ctx.Tr("user.form.name_chars_not_allowed", err.(db.ErrNameCharsNotAllowed).Name), tpl, form)
+		default:
+			ctx.ServerError("CreateUser", err)
+		}
+		return
+	}
+	log.Trace("Account created: %s", u.Name)
+	return true
+}
+
+// handleUserCreated does additional steps after a new user is created.
+// It auto-sets admin for the only user, updates the optional external user and
+// sends a confirmation email if required.
+func handleUserCreated(ctx *context.Context, u *user_model.User, gothUser *goth.User) (ok bool) {
+	// Auto-set admin for the only user.
+	if user_model.CountUsers() == 1 {
+		u.IsAdmin = true
+		u.IsActive = true
+		u.SetLastLogin()
+		if err := user_model.UpdateUserCols(db.DefaultContext, u, "is_admin", "is_active", "last_login_unix"); err != nil {
+			ctx.ServerError("UpdateUser", err)
+			return
+		}
+	}
+
+	// update external user information
+	if gothUser != nil {
+		if err := externalaccount.UpdateExternalUser(u, *gothUser); err != nil {
+			log.Error("UpdateExternalUser failed: %v", err)
+		}
+	}
+
+	// Send confirmation email
+	if !u.IsActive && u.ID > 1 {
+		mailer.SendActivateAccountMail(ctx.Locale, u)
+
+		ctx.Data["IsSendRegisterMail"] = true
+		ctx.Data["Email"] = u.Email
+		ctx.Data["ActiveCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())
+		ctx.HTML(http.StatusOK, TplActivate)
+
+		if err := ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {
+			log.Error("Set cache(MailResendLimit) fail: %v", err)
+		}
+		return
+	}
+
+	return true
+}
+
+// Activate render activate user page
+func Activate(ctx *context.Context) {
+	code := ctx.FormString("code")
+
+	if len(code) == 0 {
+		ctx.Data["IsActivatePage"] = true
+		if ctx.User == nil || ctx.User.IsActive {
+			ctx.NotFound("invalid user", nil)
+			return
+		}
+		// Resend confirmation email.
+		if setting.Service.RegisterEmailConfirm {
+			if ctx.Cache.IsExist("MailResendLimit_" + ctx.User.LowerName) {
+				ctx.Data["ResendLimited"] = true
+			} else {
+				ctx.Data["ActiveCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())
+				mailer.SendActivateAccountMail(ctx.Locale, ctx.User)
+
+				if err := ctx.Cache.Put("MailResendLimit_"+ctx.User.LowerName, ctx.User.LowerName, 180); err != nil {
+					log.Error("Set cache(MailResendLimit) fail: %v", err)
+				}
+			}
+		} else {
+			ctx.Data["ServiceNotEnabled"] = true
+		}
+		ctx.HTML(http.StatusOK, TplActivate)
+		return
+	}
+
+	user := user_model.VerifyUserActiveCode(code)
+	// if code is wrong
+	if user == nil {
+		ctx.Data["IsActivateFailed"] = true
+		ctx.HTML(http.StatusOK, TplActivate)
+		return
+	}
+
+	// if account is local account, verify password
+	if user.LoginSource == 0 {
+		ctx.Data["Code"] = code
+		ctx.Data["NeedsPassword"] = true
+		ctx.HTML(http.StatusOK, TplActivate)
+		return
+	}
+
+	handleAccountActivation(ctx, user)
+}
+
+// ActivatePost handles account activation with password check
+func ActivatePost(ctx *context.Context) {
+	code := ctx.FormString("code")
+	if len(code) == 0 {
+		ctx.Redirect(setting.AppSubURL + "/user/activate")
+		return
+	}
+
+	user := user_model.VerifyUserActiveCode(code)
+	// if code is wrong
+	if user == nil {
+		ctx.Data["IsActivateFailed"] = true
+		ctx.HTML(http.StatusOK, TplActivate)
+		return
+	}
+
+	// if account is local account, verify password
+	if user.LoginSource == 0 {
+		password := ctx.FormString("password")
+		if len(password) == 0 {
+			ctx.Data["Code"] = code
+			ctx.Data["NeedsPassword"] = true
+			ctx.HTML(http.StatusOK, TplActivate)
+			return
+		}
+		if !user.ValidatePassword(password) {
+			ctx.Data["IsActivateFailed"] = true
+			ctx.HTML(http.StatusOK, TplActivate)
+			return
+		}
+	}
+
+	handleAccountActivation(ctx, user)
+}
+
+func handleAccountActivation(ctx *context.Context, user *user_model.User) {
+	user.IsActive = true
+	var err error
+	if user.Rands, err = user_model.GetUserSalt(); err != nil {
+		ctx.ServerError("UpdateUser", err)
+		return
+	}
+	if err := user_model.UpdateUserCols(db.DefaultContext, user, "is_active", "rands"); err != nil {
+		if user_model.IsErrUserNotExist(err) {
+			ctx.NotFound("UpdateUserCols", err)
+		} else {
+			ctx.ServerError("UpdateUser", err)
+		}
+		return
+	}
+
+	if err := user_model.ActivateUserEmail(user.ID, user.Email, true); err != nil {
+		log.Error("Unable to activate email for user: %-v with email: %s: %v", user, user.Email, err)
+		ctx.ServerError("ActivateUserEmail", err)
+		return
+	}
+
+	log.Trace("User activated: %s", user.Name)
+
+	if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+		log.Error("Unable to regenerate session for user: %-v with email: %s: %v", user, user.Email, err)
+		ctx.ServerError("ActivateUserEmail", err)
+		return
+	}
+
+	if err := ctx.Session.Set("uid", user.ID); err != nil {
+		log.Error("Error setting uid in session[%s]: %v", ctx.Session.ID(), err)
+	}
+	if err := ctx.Session.Set("uname", user.Name); err != nil {
+		log.Error("Error setting uname in session[%s]: %v", ctx.Session.ID(), err)
+	}
+	if err := ctx.Session.Release(); err != nil {
+		log.Error("Error storing session[%s]: %v", ctx.Session.ID(), err)
+	}
+
+	if err := resetLocale(ctx, user); err != nil {
+		ctx.ServerError("resetLocale", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("auth.account_activated"))
+	ctx.Redirect(setting.AppSubURL + "/")
+}
+
+// ActivateEmail render the activate email page
+func ActivateEmail(ctx *context.Context) {
+	code := ctx.FormString("code")
+	emailStr := ctx.FormString("email")
+
+	// Verify code.
+	if email := user_model.VerifyActiveEmailCode(code, emailStr); email != nil {
+		if err := user_model.ActivateEmail(email); err != nil {
+			ctx.ServerError("ActivateEmail", err)
+		}
+
+		log.Trace("Email activated: %s", email.Email)
+		ctx.Flash.Success(ctx.Tr("settings.add_email_success"))
+
+		if u, err := user_model.GetUserByID(email.UID); err != nil {
+			log.Warn("GetUserByID: %d", email.UID)
+		} else {
+			// Allow user to validate more emails
+			_ = ctx.Cache.Delete("MailResendLimit_" + u.LowerName)
+		}
+	}
+
+	// FIXME: e-mail verification does not require the user to be logged in,
+	// so this could be redirecting to the login page.
+	// Should users be logged in automatically here? (consider 2FA requirements, etc.)
+	ctx.Redirect(setting.AppSubURL + "/user/settings/account")
+}
diff --git a/routers/web/auth/linkaccount.go b/routers/web/auth/linkaccount.go
new file mode 100644
index 0000000000..9d5a6eb3f8
--- /dev/null
+++ b/routers/web/auth/linkaccount.go
@@ -0,0 +1,300 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"code.gitea.io/gitea/models/auth"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/hcaptcha"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/recaptcha"
+	"code.gitea.io/gitea/modules/session"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web"
+	auth_service "code.gitea.io/gitea/services/auth"
+	"code.gitea.io/gitea/services/externalaccount"
+	"code.gitea.io/gitea/services/forms"
+
+	"github.com/markbates/goth"
+)
+
+var (
+	tplLinkAccount base.TplName = "user/auth/link_account"
+)
+
+// LinkAccount shows the page where the user can decide to login or create a new account
+func LinkAccount(ctx *context.Context) {
+	ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration
+	ctx.Data["Title"] = ctx.Tr("link_account")
+	ctx.Data["LinkAccountMode"] = true
+	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha
+	ctx.Data["Captcha"] = context.GetImageCaptcha()
+	ctx.Data["CaptchaType"] = setting.Service.CaptchaType
+	ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
+	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
+	ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
+	ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
+	ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
+	ctx.Data["ShowRegistrationButton"] = false
+
+	// use this to set the right link into the signIn and signUp templates in the link_account template
+	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
+	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
+
+	gothUser := ctx.Session.Get("linkAccountGothUser")
+	if gothUser == nil {
+		ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
+		return
+	}
+
+	gu, _ := gothUser.(goth.User)
+	uname := getUserName(&gu)
+	email := gu.Email
+	ctx.Data["user_name"] = uname
+	ctx.Data["email"] = email
+
+	if len(email) != 0 {
+		u, err := user_model.GetUserByEmail(email)
+		if err != nil && !user_model.IsErrUserNotExist(err) {
+			ctx.ServerError("UserSignIn", err)
+			return
+		}
+		if u != nil {
+			ctx.Data["user_exists"] = true
+		}
+	} else if len(uname) != 0 {
+		u, err := user_model.GetUserByName(uname)
+		if err != nil && !user_model.IsErrUserNotExist(err) {
+			ctx.ServerError("UserSignIn", err)
+			return
+		}
+		if u != nil {
+			ctx.Data["user_exists"] = true
+		}
+	}
+
+	ctx.HTML(http.StatusOK, tplLinkAccount)
+}
+
+// LinkAccountPostSignIn handle the coupling of external account with another account using signIn
+func LinkAccountPostSignIn(ctx *context.Context) {
+	signInForm := web.GetForm(ctx).(*forms.SignInForm)
+	ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration
+	ctx.Data["Title"] = ctx.Tr("link_account")
+	ctx.Data["LinkAccountMode"] = true
+	ctx.Data["LinkAccountModeSignIn"] = true
+	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha
+	ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
+	ctx.Data["Captcha"] = context.GetImageCaptcha()
+	ctx.Data["CaptchaType"] = setting.Service.CaptchaType
+	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
+	ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
+	ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
+	ctx.Data["ShowRegistrationButton"] = false
+
+	// use this to set the right link into the signIn and signUp templates in the link_account template
+	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
+	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
+
+	gothUser := ctx.Session.Get("linkAccountGothUser")
+	if gothUser == nil {
+		ctx.ServerError("UserSignIn", errors.New("not in LinkAccount session"))
+		return
+	}
+
+	if ctx.HasError() {
+		ctx.HTML(http.StatusOK, tplLinkAccount)
+		return
+	}
+
+	u, _, err := auth_service.UserSignIn(signInForm.UserName, signInForm.Password)
+	if err != nil {
+		if user_model.IsErrUserNotExist(err) {
+			ctx.Data["user_exists"] = true
+			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplLinkAccount, &signInForm)
+		} else {
+			ctx.ServerError("UserLinkAccount", err)
+		}
+		return
+	}
+
+	linkAccount(ctx, u, gothUser.(goth.User), signInForm.Remember)
+}
+
+func linkAccount(ctx *context.Context, u *user_model.User, gothUser goth.User, remember bool) {
+	updateAvatarIfNeed(gothUser.AvatarURL, u)
+
+	// If this user is enrolled in 2FA, we can't sign the user in just yet.
+	// Instead, redirect them to the 2FA authentication page.
+	// We deliberately ignore the skip local 2fa setting here because we are linking to a previous user here
+	_, err := auth.GetTwoFactorByUID(u.ID)
+	if err != nil {
+		if !auth.IsErrTwoFactorNotEnrolled(err) {
+			ctx.ServerError("UserLinkAccount", err)
+			return
+		}
+
+		err = externalaccount.LinkAccountToUser(u, gothUser)
+		if err != nil {
+			ctx.ServerError("UserLinkAccount", err)
+			return
+		}
+
+		handleSignIn(ctx, u, remember)
+		return
+	}
+
+	if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+		ctx.ServerError("RegenerateSession", err)
+		return
+	}
+
+	// User needs to use 2FA, save data and redirect to 2FA page.
+	if err := ctx.Session.Set("twofaUid", u.ID); err != nil {
+		log.Error("Error setting twofaUid in session: %v", err)
+	}
+	if err := ctx.Session.Set("twofaRemember", remember); err != nil {
+		log.Error("Error setting twofaRemember in session: %v", err)
+	}
+	if err := ctx.Session.Set("linkAccount", true); err != nil {
+		log.Error("Error setting linkAccount in session: %v", err)
+	}
+	if err := ctx.Session.Release(); err != nil {
+		log.Error("Error storing session: %v", err)
+	}
+
+	// If U2F is enrolled -> Redirect to U2F instead
+	regs, err := auth.GetU2FRegistrationsByUID(u.ID)
+	if err == nil && len(regs) > 0 {
+		ctx.Redirect(setting.AppSubURL + "/user/u2f")
+		return
+	}
+
+	ctx.Redirect(setting.AppSubURL + "/user/two_factor")
+}
+
+// LinkAccountPostRegister handle the creation of a new account for an external account using signUp
+func LinkAccountPostRegister(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.RegisterForm)
+	// TODO Make insecure passwords optional for local accounts also,
+	//      once email-based Second-Factor Auth is available
+	ctx.Data["DisablePassword"] = !setting.Service.RequireExternalRegistrationPassword || setting.Service.AllowOnlyExternalRegistration
+	ctx.Data["Title"] = ctx.Tr("link_account")
+	ctx.Data["LinkAccountMode"] = true
+	ctx.Data["LinkAccountModeRegister"] = true
+	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha
+	ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
+	ctx.Data["Captcha"] = context.GetImageCaptcha()
+	ctx.Data["CaptchaType"] = setting.Service.CaptchaType
+	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
+	ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
+	ctx.Data["DisableRegistration"] = setting.Service.DisableRegistration
+	ctx.Data["ShowRegistrationButton"] = false
+
+	// use this to set the right link into the signIn and signUp templates in the link_account template
+	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/link_account_signin"
+	ctx.Data["SignUpLink"] = setting.AppSubURL + "/user/link_account_signup"
+
+	gothUserInterface := ctx.Session.Get("linkAccountGothUser")
+	if gothUserInterface == nil {
+		ctx.ServerError("UserSignUp", errors.New("not in LinkAccount session"))
+		return
+	}
+	gothUser, ok := gothUserInterface.(goth.User)
+	if !ok {
+		ctx.ServerError("UserSignUp", fmt.Errorf("session linkAccountGothUser type is %t but not goth.User", gothUserInterface))
+		return
+	}
+
+	if ctx.HasError() {
+		ctx.HTML(http.StatusOK, tplLinkAccount)
+		return
+	}
+
+	if setting.Service.DisableRegistration || setting.Service.AllowOnlyInternalRegistration {
+		ctx.Error(http.StatusForbidden)
+		return
+	}
+
+	if setting.Service.EnableCaptcha && setting.Service.RequireExternalRegistrationCaptcha {
+		var valid bool
+		var err error
+		switch setting.Service.CaptchaType {
+		case setting.ImageCaptcha:
+			valid = context.GetImageCaptcha().VerifyReq(ctx.Req)
+		case setting.ReCaptcha:
+			valid, err = recaptcha.Verify(ctx, form.GRecaptchaResponse)
+		case setting.HCaptcha:
+			valid, err = hcaptcha.Verify(ctx, form.HcaptchaResponse)
+		default:
+			ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))
+			return
+		}
+		if err != nil {
+			log.Debug("%s", err.Error())
+		}
+
+		if !valid {
+			ctx.Data["Err_Captcha"] = true
+			ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplLinkAccount, &form)
+			return
+		}
+	}
+
+	if !form.IsEmailDomainAllowed() {
+		ctx.RenderWithErr(ctx.Tr("auth.email_domain_blacklisted"), tplLinkAccount, &form)
+		return
+	}
+
+	if setting.Service.AllowOnlyExternalRegistration || !setting.Service.RequireExternalRegistrationPassword {
+		// In user_model.User an empty password is classed as not set, so we set form.Password to empty.
+		// Eventually the database should be changed to indicate "Second Factor"-enabled accounts
+		// (accounts that do not introduce the security vulnerabilities of a password).
+		// If a user decides to circumvent second-factor security, and purposefully create a password,
+		// they can still do so using the "Recover Account" option.
+		form.Password = ""
+	} else {
+		if (len(strings.TrimSpace(form.Password)) > 0 || len(strings.TrimSpace(form.Retype)) > 0) && form.Password != form.Retype {
+			ctx.Data["Err_Password"] = true
+			ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplLinkAccount, &form)
+			return
+		}
+		if len(strings.TrimSpace(form.Password)) > 0 && len(form.Password) < setting.MinPasswordLength {
+			ctx.Data["Err_Password"] = true
+			ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplLinkAccount, &form)
+			return
+		}
+	}
+
+	authSource, err := auth.GetActiveOAuth2SourceByName(gothUser.Provider)
+	if err != nil {
+		ctx.ServerError("CreateUser", err)
+		return
+	}
+
+	u := &user_model.User{
+		Name:        form.UserName,
+		Email:       form.Email,
+		Passwd:      form.Password,
+		IsActive:    !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
+		LoginType:   auth.OAuth2,
+		LoginSource: authSource.ID,
+		LoginName:   gothUser.UserID,
+	}
+
+	if !createAndHandleCreatedUser(ctx, tplLinkAccount, form, u, &gothUser, false) {
+		// error already handled
+		return
+	}
+
+	handleSignIn(ctx, u, false)
+}
diff --git a/routers/web/auth/main_test.go b/routers/web/auth/main_test.go
new file mode 100644
index 0000000000..2b16f3c405
--- /dev/null
+++ b/routers/web/auth/main_test.go
@@ -0,0 +1,16 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+	"path/filepath"
+	"testing"
+
+	"code.gitea.io/gitea/models/unittest"
+)
+
+func TestMain(m *testing.M) {
+	unittest.MainTest(m, filepath.Join("..", "..", ".."))
+}
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
new file mode 100644
index 0000000000..9b22773d2f
--- /dev/null
+++ b/routers/web/auth/oauth.go
@@ -0,0 +1,1124 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"html"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/models/db"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/session"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/modules/web/middleware"
+	auth_service "code.gitea.io/gitea/services/auth"
+	"code.gitea.io/gitea/services/auth/source/oauth2"
+	"code.gitea.io/gitea/services/externalaccount"
+	"code.gitea.io/gitea/services/forms"
+	user_service "code.gitea.io/gitea/services/user"
+
+	"gitea.com/go-chi/binding"
+	"github.com/golang-jwt/jwt"
+	"github.com/markbates/goth"
+)
+
+const (
+	tplGrantAccess base.TplName = "user/auth/grant"
+	tplGrantError  base.TplName = "user/auth/grant_error"
+)
+
+// TODO move error and responses to SDK or models
+
+// AuthorizeErrorCode represents an error code specified in RFC 6749
+type AuthorizeErrorCode string
+
+const (
+	// ErrorCodeInvalidRequest represents the according error in RFC 6749
+	ErrorCodeInvalidRequest AuthorizeErrorCode = "invalid_request"
+	// ErrorCodeUnauthorizedClient represents the according error in RFC 6749
+	ErrorCodeUnauthorizedClient AuthorizeErrorCode = "unauthorized_client"
+	// ErrorCodeAccessDenied represents the according error in RFC 6749
+	ErrorCodeAccessDenied AuthorizeErrorCode = "access_denied"
+	// ErrorCodeUnsupportedResponseType represents the according error in RFC 6749
+	ErrorCodeUnsupportedResponseType AuthorizeErrorCode = "unsupported_response_type"
+	// ErrorCodeInvalidScope represents the according error in RFC 6749
+	ErrorCodeInvalidScope AuthorizeErrorCode = "invalid_scope"
+	// ErrorCodeServerError represents the according error in RFC 6749
+	ErrorCodeServerError AuthorizeErrorCode = "server_error"
+	// ErrorCodeTemporaryUnavailable represents the according error in RFC 6749
+	ErrorCodeTemporaryUnavailable AuthorizeErrorCode = "temporarily_unavailable"
+)
+
+// AuthorizeError represents an error type specified in RFC 6749
+type AuthorizeError struct {
+	ErrorCode        AuthorizeErrorCode `json:"error" form:"error"`
+	ErrorDescription string
+	State            string
+}
+
+// Error returns the error message
+func (err AuthorizeError) Error() string {
+	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)
+}
+
+// AccessTokenErrorCode represents an error code specified in RFC 6749
+type AccessTokenErrorCode string
+
+const (
+	// AccessTokenErrorCodeInvalidRequest represents an error code specified in RFC 6749
+	AccessTokenErrorCodeInvalidRequest AccessTokenErrorCode = "invalid_request"
+	// AccessTokenErrorCodeInvalidClient represents an error code specified in RFC 6749
+	AccessTokenErrorCodeInvalidClient = "invalid_client"
+	// AccessTokenErrorCodeInvalidGrant represents an error code specified in RFC 6749
+	AccessTokenErrorCodeInvalidGrant = "invalid_grant"
+	// AccessTokenErrorCodeUnauthorizedClient represents an error code specified in RFC 6749
+	AccessTokenErrorCodeUnauthorizedClient = "unauthorized_client"
+	// AccessTokenErrorCodeUnsupportedGrantType represents an error code specified in RFC 6749
+	AccessTokenErrorCodeUnsupportedGrantType = "unsupported_grant_type"
+	// AccessTokenErrorCodeInvalidScope represents an error code specified in RFC 6749
+	AccessTokenErrorCodeInvalidScope = "invalid_scope"
+)
+
+// AccessTokenError represents an error response specified in RFC 6749
+type AccessTokenError struct {
+	ErrorCode        AccessTokenErrorCode `json:"error" form:"error"`
+	ErrorDescription string               `json:"error_description"`
+}
+
+// Error returns the error message
+func (err AccessTokenError) Error() string {
+	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)
+}
+
+// TokenType specifies the kind of token
+type TokenType string
+
+const (
+	// TokenTypeBearer represents a token type specified in RFC 6749
+	TokenTypeBearer TokenType = "bearer"
+	// TokenTypeMAC represents a token type specified in RFC 6749
+	TokenTypeMAC = "mac"
+)
+
+// AccessTokenResponse represents a successful access token response
+type AccessTokenResponse struct {
+	AccessToken  string    `json:"access_token"`
+	TokenType    TokenType `json:"token_type"`
+	ExpiresIn    int64     `json:"expires_in"`
+	RefreshToken string    `json:"refresh_token"`
+	IDToken      string    `json:"id_token,omitempty"`
+}
+
+func newAccessTokenResponse(grant *auth.OAuth2Grant, serverKey, clientKey oauth2.JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) {
+	if setting.OAuth2.InvalidateRefreshTokens {
+		if err := grant.IncreaseCounter(); err != nil {
+			return nil, &AccessTokenError{
+				ErrorCode:        AccessTokenErrorCodeInvalidGrant,
+				ErrorDescription: "cannot increase the grant counter",
+			}
+		}
+	}
+	// generate access token to access the API
+	expirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.AccessTokenExpirationTime)
+	accessToken := &oauth2.Token{
+		GrantID: grant.ID,
+		Type:    oauth2.TypeAccessToken,
+		StandardClaims: jwt.StandardClaims{
+			ExpiresAt: expirationDate.AsTime().Unix(),
+		},
+	}
+	signedAccessToken, err := accessToken.SignToken(serverKey)
+	if err != nil {
+		return nil, &AccessTokenError{
+			ErrorCode:        AccessTokenErrorCodeInvalidRequest,
+			ErrorDescription: "cannot sign token",
+		}
+	}
+
+	// generate refresh token to request an access token after it expired later
+	refreshExpirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime().Unix()
+	refreshToken := &oauth2.Token{
+		GrantID: grant.ID,
+		Counter: grant.Counter,
+		Type:    oauth2.TypeRefreshToken,
+		StandardClaims: jwt.StandardClaims{
+			ExpiresAt: refreshExpirationDate,
+		},
+	}
+	signedRefreshToken, err := refreshToken.SignToken(serverKey)
+	if err != nil {
+		return nil, &AccessTokenError{
+			ErrorCode:        AccessTokenErrorCodeInvalidRequest,
+			ErrorDescription: "cannot sign token",
+		}
+	}
+
+	// generate OpenID Connect id_token
+	signedIDToken := ""
+	if grant.ScopeContains("openid") {
+		app, err := auth.GetOAuth2ApplicationByID(grant.ApplicationID)
+		if err != nil {
+			return nil, &AccessTokenError{
+				ErrorCode:        AccessTokenErrorCodeInvalidRequest,
+				ErrorDescription: "cannot find application",
+			}
+		}
+		user, err := user_model.GetUserByID(grant.UserID)
+		if err != nil {
+			if user_model.IsErrUserNotExist(err) {
+				return nil, &AccessTokenError{
+					ErrorCode:        AccessTokenErrorCodeInvalidRequest,
+					ErrorDescription: "cannot find user",
+				}
+			}
+			log.Error("Error loading user: %v", err)
+			return nil, &AccessTokenError{
+				ErrorCode:        AccessTokenErrorCodeInvalidRequest,
+				ErrorDescription: "server error",
+			}
+		}
+
+		idToken := &oauth2.OIDCToken{
+			StandardClaims: jwt.StandardClaims{
+				ExpiresAt: expirationDate.AsTime().Unix(),
+				Issuer:    setting.AppURL,
+				Audience:  app.ClientID,
+				Subject:   fmt.Sprint(grant.UserID),
+			},
+			Nonce: grant.Nonce,
+		}
+		if grant.ScopeContains("profile") {
+			idToken.Name = user.FullName
+			idToken.PreferredUsername = user.Name
+			idToken.Profile = user.HTMLURL()
+			idToken.Picture = user.AvatarLink()
+			idToken.Website = user.Website
+			idToken.Locale = user.Language
+			idToken.UpdatedAt = user.UpdatedUnix
+		}
+		if grant.ScopeContains("email") {
+			idToken.Email = user.Email
+			idToken.EmailVerified = user.IsActive
+		}
+		if grant.ScopeContains("groups") {
+			groups, err := getOAuthGroupsForUser(user)
+			if err != nil {
+				log.Error("Error getting groups: %v", err)
+				return nil, &AccessTokenError{
+					ErrorCode:        AccessTokenErrorCodeInvalidRequest,
+					ErrorDescription: "server error",
+				}
+			}
+			idToken.Groups = groups
+		}
+
+		signedIDToken, err = idToken.SignToken(clientKey)
+		if err != nil {
+			return nil, &AccessTokenError{
+				ErrorCode:        AccessTokenErrorCodeInvalidRequest,
+				ErrorDescription: "cannot sign token",
+			}
+		}
+	}
+
+	return &AccessTokenResponse{
+		AccessToken:  signedAccessToken,
+		TokenType:    TokenTypeBearer,
+		ExpiresIn:    setting.OAuth2.AccessTokenExpirationTime,
+		RefreshToken: signedRefreshToken,
+		IDToken:      signedIDToken,
+	}, nil
+}
+
+type userInfoResponse struct {
+	Sub      string   `json:"sub"`
+	Name     string   `json:"name"`
+	Username string   `json:"preferred_username"`
+	Email    string   `json:"email"`
+	Picture  string   `json:"picture"`
+	Groups   []string `json:"groups"`
+}
+
+// InfoOAuth manages request for userinfo endpoint
+func InfoOAuth(ctx *context.Context) {
+	if ctx.User == nil || ctx.Data["AuthedMethod"] != (&auth_service.OAuth2{}).Name() {
+		ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm=""`)
+		ctx.PlainText(http.StatusUnauthorized, "no valid authorization")
+		return
+	}
+
+	response := &userInfoResponse{
+		Sub:      fmt.Sprint(ctx.User.ID),
+		Name:     ctx.User.FullName,
+		Username: ctx.User.Name,
+		Email:    ctx.User.Email,
+		Picture:  ctx.User.AvatarLink(),
+	}
+
+	groups, err := getOAuthGroupsForUser(ctx.User)
+	if err != nil {
+		ctx.ServerError("Oauth groups for user", err)
+		return
+	}
+	response.Groups = groups
+
+	ctx.JSON(http.StatusOK, response)
+}
+
+// returns a list of "org" and "org:team" strings,
+// that the given user is a part of.
+func getOAuthGroupsForUser(user *user_model.User) ([]string, error) {
+	orgs, err := models.GetUserOrgsList(user)
+	if err != nil {
+		return nil, fmt.Errorf("GetUserOrgList: %v", err)
+	}
+
+	var groups []string
+	for _, org := range orgs {
+		groups = append(groups, org.Name)
+		teams, err := org.LoadTeams()
+		if err != nil {
+			return nil, fmt.Errorf("LoadTeams: %v", err)
+		}
+		for _, team := range teams {
+			if team.IsMember(user.ID) {
+				groups = append(groups, org.Name+":"+team.LowerName)
+			}
+		}
+	}
+	return groups, nil
+}
+
+// IntrospectOAuth introspects an oauth token
+func IntrospectOAuth(ctx *context.Context) {
+	if ctx.User == nil {
+		ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm=""`)
+		ctx.PlainText(http.StatusUnauthorized, "no valid authorization")
+		return
+	}
+
+	var response struct {
+		Active bool   `json:"active"`
+		Scope  string `json:"scope,omitempty"`
+		jwt.StandardClaims
+	}
+
+	form := web.GetForm(ctx).(*forms.IntrospectTokenForm)
+	token, err := oauth2.ParseToken(form.Token, oauth2.DefaultSigningKey)
+	if err == nil {
+		if token.Valid() == nil {
+			grant, err := auth.GetOAuth2GrantByID(token.GrantID)
+			if err == nil && grant != nil {
+				app, err := auth.GetOAuth2ApplicationByID(grant.ApplicationID)
+				if err == nil && app != nil {
+					response.Active = true
+					response.Scope = grant.Scope
+					response.Issuer = setting.AppURL
+					response.Audience = app.ClientID
+					response.Subject = fmt.Sprint(grant.UserID)
+				}
+			}
+		}
+	}
+
+	ctx.JSON(http.StatusOK, response)
+}
+
+// AuthorizeOAuth manages authorize requests
+func AuthorizeOAuth(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.AuthorizationForm)
+	errs := binding.Errors{}
+	errs = form.Validate(ctx.Req, errs)
+	if len(errs) > 0 {
+		errstring := ""
+		for _, e := range errs {
+			errstring += e.Error() + "\n"
+		}
+		ctx.ServerError("AuthorizeOAuth: Validate: ", fmt.Errorf("errors occurred during validation: %s", errstring))
+		return
+	}
+
+	app, err := auth.GetOAuth2ApplicationByClientID(form.ClientID)
+	if err != nil {
+		if auth.IsErrOauthClientIDInvalid(err) {
+			handleAuthorizeError(ctx, AuthorizeError{
+				ErrorCode:        ErrorCodeUnauthorizedClient,
+				ErrorDescription: "Client ID not registered",
+				State:            form.State,
+			}, "")
+			return
+		}
+		ctx.ServerError("GetOAuth2ApplicationByClientID", err)
+		return
+	}
+
+	user, err := user_model.GetUserByID(app.UID)
+	if err != nil {
+		ctx.ServerError("GetUserByID", err)
+		return
+	}
+
+	if !app.ContainsRedirectURI(form.RedirectURI) {
+		handleAuthorizeError(ctx, AuthorizeError{
+			ErrorCode:        ErrorCodeInvalidRequest,
+			ErrorDescription: "Unregistered Redirect URI",
+			State:            form.State,
+		}, "")
+		return
+	}
+
+	if form.ResponseType != "code" {
+		handleAuthorizeError(ctx, AuthorizeError{
+			ErrorCode:        ErrorCodeUnsupportedResponseType,
+			ErrorDescription: "Only code response type is supported.",
+			State:            form.State,
+		}, form.RedirectURI)
+		return
+	}
+
+	// pkce support
+	switch form.CodeChallengeMethod {
+	case "S256":
+	case "plain":
+		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil {
+			handleAuthorizeError(ctx, AuthorizeError{
+				ErrorCode:        ErrorCodeServerError,
+				ErrorDescription: "cannot set code challenge method",
+				State:            form.State,
+			}, form.RedirectURI)
+			return
+		}
+		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallenge); err != nil {
+			handleAuthorizeError(ctx, AuthorizeError{
+				ErrorCode:        ErrorCodeServerError,
+				ErrorDescription: "cannot set code challenge",
+				State:            form.State,
+			}, form.RedirectURI)
+			return
+		}
+		// Here we're just going to try to release the session early
+		if err := ctx.Session.Release(); err != nil {
+			// we'll tolerate errors here as they *should* get saved elsewhere
+			log.Error("Unable to save changes to the session: %v", err)
+		}
+	case "":
+		break
+	default:
+		handleAuthorizeError(ctx, AuthorizeError{
+			ErrorCode:        ErrorCodeInvalidRequest,
+			ErrorDescription: "unsupported code challenge method",
+			State:            form.State,
+		}, form.RedirectURI)
+		return
+	}
+
+	grant, err := app.GetGrantByUserID(ctx.User.ID)
+	if err != nil {
+		handleServerError(ctx, form.State, form.RedirectURI)
+		return
+	}
+
+	// Redirect if user already granted access
+	if grant != nil {
+		code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod)
+		if err != nil {
+			handleServerError(ctx, form.State, form.RedirectURI)
+			return
+		}
+		redirect, err := code.GenerateRedirectURI(form.State)
+		if err != nil {
+			handleServerError(ctx, form.State, form.RedirectURI)
+			return
+		}
+		// Update nonce to reflect the new session
+		if len(form.Nonce) > 0 {
+			err := grant.SetNonce(form.Nonce)
+			if err != nil {
+				log.Error("Unable to update nonce: %v", err)
+			}
+		}
+		ctx.Redirect(redirect.String(), 302)
+		return
+	}
+
+	// show authorize page to grant access
+	ctx.Data["Application"] = app
+	ctx.Data["RedirectURI"] = form.RedirectURI
+	ctx.Data["State"] = form.State
+	ctx.Data["Scope"] = form.Scope
+	ctx.Data["Nonce"] = form.Nonce
+	ctx.Data["ApplicationUserLink"] = "<a href=\"" + html.EscapeString(user.HTMLURL()) + "\">@" + html.EscapeString(user.Name) + "</a>"
+	ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + html.EscapeString(form.RedirectURI) + "</strong>"
+	// TODO document SESSION <=> FORM
+	err = ctx.Session.Set("client_id", app.ClientID)
+	if err != nil {
+		handleServerError(ctx, form.State, form.RedirectURI)
+		log.Error(err.Error())
+		return
+	}
+	err = ctx.Session.Set("redirect_uri", form.RedirectURI)
+	if err != nil {
+		handleServerError(ctx, form.State, form.RedirectURI)
+		log.Error(err.Error())
+		return
+	}
+	err = ctx.Session.Set("state", form.State)
+	if err != nil {
+		handleServerError(ctx, form.State, form.RedirectURI)
+		log.Error(err.Error())
+		return
+	}
+	// Here we're just going to try to release the session early
+	if err := ctx.Session.Release(); err != nil {
+		// we'll tolerate errors here as they *should* get saved elsewhere
+		log.Error("Unable to save changes to the session: %v", err)
+	}
+	ctx.HTML(http.StatusOK, tplGrantAccess)
+}
+
+// GrantApplicationOAuth manages the post request submitted when a user grants access to an application
+func GrantApplicationOAuth(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.GrantApplicationForm)
+	if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State ||
+		ctx.Session.Get("redirect_uri") != form.RedirectURI {
+		ctx.Error(http.StatusBadRequest)
+		return
+	}
+	app, err := auth.GetOAuth2ApplicationByClientID(form.ClientID)
+	if err != nil {
+		ctx.ServerError("GetOAuth2ApplicationByClientID", err)
+		return
+	}
+	grant, err := app.CreateGrant(ctx.User.ID, form.Scope)
+	if err != nil {
+		handleAuthorizeError(ctx, AuthorizeError{
+			State:            form.State,
+			ErrorDescription: "cannot create grant for user",
+			ErrorCode:        ErrorCodeServerError,
+		}, form.RedirectURI)
+		return
+	}
+	if len(form.Nonce) > 0 {
+		err := grant.SetNonce(form.Nonce)
+		if err != nil {
+			log.Error("Unable to update nonce: %v", err)
+		}
+	}
+
+	var codeChallenge, codeChallengeMethod string
+	codeChallenge, _ = ctx.Session.Get("CodeChallenge").(string)
+	codeChallengeMethod, _ = ctx.Session.Get("CodeChallengeMethod").(string)
+
+	code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, codeChallenge, codeChallengeMethod)
+	if err != nil {
+		handleServerError(ctx, form.State, form.RedirectURI)
+		return
+	}
+	redirect, err := code.GenerateRedirectURI(form.State)
+	if err != nil {
+		handleServerError(ctx, form.State, form.RedirectURI)
+		return
+	}
+	ctx.Redirect(redirect.String(), 302)
+}
+
+// OIDCWellKnown generates JSON so OIDC clients know Gitea's capabilities
+func OIDCWellKnown(ctx *context.Context) {
+	t := ctx.Render.TemplateLookup("user/auth/oidc_wellknown")
+	ctx.Resp.Header().Set("Content-Type", "application/json")
+	ctx.Data["SigningKey"] = oauth2.DefaultSigningKey
+	if err := t.Execute(ctx.Resp, ctx.Data); err != nil {
+		log.Error("%v", err)
+		ctx.Error(http.StatusInternalServerError)
+	}
+}
+
+// OIDCKeys generates the JSON Web Key Set
+func OIDCKeys(ctx *context.Context) {
+	jwk, err := oauth2.DefaultSigningKey.ToJWK()
+	if err != nil {
+		log.Error("Error converting signing key to JWK: %v", err)
+		ctx.Error(http.StatusInternalServerError)
+		return
+	}
+
+	jwk["use"] = "sig"
+
+	jwks := map[string][]map[string]string{
+		"keys": {
+			jwk,
+		},
+	}
+
+	ctx.Resp.Header().Set("Content-Type", "application/json")
+	enc := json.NewEncoder(ctx.Resp)
+	if err := enc.Encode(jwks); err != nil {
+		log.Error("Failed to encode representation as json. Error: %v", err)
+	}
+}
+
+// AccessTokenOAuth manages all access token requests by the client
+func AccessTokenOAuth(ctx *context.Context) {
+	form := *web.GetForm(ctx).(*forms.AccessTokenForm)
+	if form.ClientID == "" {
+		authHeader := ctx.Req.Header.Get("Authorization")
+		authContent := strings.SplitN(authHeader, " ", 2)
+		if len(authContent) == 2 && authContent[0] == "Basic" {
+			payload, err := base64.StdEncoding.DecodeString(authContent[1])
+			if err != nil {
+				handleAccessTokenError(ctx, AccessTokenError{
+					ErrorCode:        AccessTokenErrorCodeInvalidRequest,
+					ErrorDescription: "cannot parse basic auth header",
+				})
+				return
+			}
+			pair := strings.SplitN(string(payload), ":", 2)
+			if len(pair) != 2 {
+				handleAccessTokenError(ctx, AccessTokenError{
+					ErrorCode:        AccessTokenErrorCodeInvalidRequest,
+					ErrorDescription: "cannot parse basic auth header",
+				})
+				return
+			}
+			form.ClientID = pair[0]
+			form.ClientSecret = pair[1]
+		}
+	}
+
+	serverKey := oauth2.DefaultSigningKey
+	clientKey := serverKey
+	if serverKey.IsSymmetric() {
+		var err error
+		clientKey, err = oauth2.CreateJWTSigningKey(serverKey.SigningMethod().Alg(), []byte(form.ClientSecret))
+		if err != nil {
+			handleAccessTokenError(ctx, AccessTokenError{
+				ErrorCode:        AccessTokenErrorCodeInvalidRequest,
+				ErrorDescription: "Error creating signing key",
+			})
+			return
+		}
+	}
+
+	switch form.GrantType {
+	case "refresh_token":
+		handleRefreshToken(ctx, form, serverKey, clientKey)
+	case "authorization_code":
+		handleAuthorizationCode(ctx, form, serverKey, clientKey)
+	default:
+		handleAccessTokenError(ctx, AccessTokenError{
+			ErrorCode:        AccessTokenErrorCodeUnsupportedGrantType,
+			ErrorDescription: "Only refresh_token or authorization_code grant type is supported",
+		})
+	}
+}
+
+func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) {
+	token, err := oauth2.ParseToken(form.RefreshToken, serverKey)
+	if err != nil {
+		handleAccessTokenError(ctx, AccessTokenError{
+			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
+			ErrorDescription: "client is not authorized",
+		})
+		return
+	}
+	// get grant before increasing counter
+	grant, err := auth.GetOAuth2GrantByID(token.GrantID)
+	if err != nil || grant == nil {
+		handleAccessTokenError(ctx, AccessTokenError{
+			ErrorCode:        AccessTokenErrorCodeInvalidGrant,
+			ErrorDescription: "grant does not exist",
+		})
+		return
+	}
+
+	// check if token got already used
+	if setting.OAuth2.InvalidateRefreshTokens && (grant.Counter != token.Counter || token.Counter == 0) {
+		handleAccessTokenError(ctx, AccessTokenError{
+			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
+			ErrorDescription: "token was already used",
+		})
+		log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID)
+		return
+	}
+	accessToken, tokenErr := newAccessTokenResponse(grant, serverKey, clientKey)
+	if tokenErr != nil {
+		handleAccessTokenError(ctx, *tokenErr)
+		return
+	}
+	ctx.JSON(http.StatusOK, accessToken)
+}
+
+func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) {
+	app, err := auth.GetOAuth2ApplicationByClientID(form.ClientID)
+	if err != nil {
+		handleAccessTokenError(ctx, AccessTokenError{
+			ErrorCode:        AccessTokenErrorCodeInvalidClient,
+			ErrorDescription: fmt.Sprintf("cannot load client with client id: '%s'", form.ClientID),
+		})
+		return
+	}
+	if !app.ValidateClientSecret([]byte(form.ClientSecret)) {
+		handleAccessTokenError(ctx, AccessTokenError{
+			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
+			ErrorDescription: "client is not authorized",
+		})
+		return
+	}
+	if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) {
+		handleAccessTokenError(ctx, AccessTokenError{
+			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
+			ErrorDescription: "client is not authorized",
+		})
+		return
+	}
+	authorizationCode, err := auth.GetOAuth2AuthorizationByCode(form.Code)
+	if err != nil || authorizationCode == nil {
+		handleAccessTokenError(ctx, AccessTokenError{
+			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
+			ErrorDescription: "client is not authorized",
+		})
+		return
+	}
+	// check if code verifier authorizes the client, PKCE support
+	if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) {
+		handleAccessTokenError(ctx, AccessTokenError{
+			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
+			ErrorDescription: "client is not authorized",
+		})
+		return
+	}
+	// check if granted for this application
+	if authorizationCode.Grant.ApplicationID != app.ID {
+		handleAccessTokenError(ctx, AccessTokenError{
+			ErrorCode:        AccessTokenErrorCodeInvalidGrant,
+			ErrorDescription: "invalid grant",
+		})
+		return
+	}
+	// remove token from database to deny duplicate usage
+	if err := authorizationCode.Invalidate(); err != nil {
+		handleAccessTokenError(ctx, AccessTokenError{
+			ErrorCode:        AccessTokenErrorCodeInvalidRequest,
+			ErrorDescription: "cannot proceed your request",
+		})
+	}
+	resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant, serverKey, clientKey)
+	if tokenErr != nil {
+		handleAccessTokenError(ctx, *tokenErr)
+		return
+	}
+	// send successful response
+	ctx.JSON(http.StatusOK, resp)
+}
+
+func handleAccessTokenError(ctx *context.Context, acErr AccessTokenError) {
+	ctx.JSON(http.StatusBadRequest, acErr)
+}
+
+func handleServerError(ctx *context.Context, state, redirectURI string) {
+	handleAuthorizeError(ctx, AuthorizeError{
+		ErrorCode:        ErrorCodeServerError,
+		ErrorDescription: "A server error occurred",
+		State:            state,
+	}, redirectURI)
+}
+
+func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirectURI string) {
+	if redirectURI == "" {
+		log.Warn("Authorization failed: %v", authErr.ErrorDescription)
+		ctx.Data["Error"] = authErr
+		ctx.HTML(400, tplGrantError)
+		return
+	}
+	redirect, err := url.Parse(redirectURI)
+	if err != nil {
+		ctx.ServerError("url.Parse", err)
+		return
+	}
+	q := redirect.Query()
+	q.Set("error", string(authErr.ErrorCode))
+	q.Set("error_description", authErr.ErrorDescription)
+	q.Set("state", authErr.State)
+	redirect.RawQuery = q.Encode()
+	ctx.Redirect(redirect.String(), 302)
+}
+
+// SignInOAuth handles the OAuth2 login buttons
+func SignInOAuth(ctx *context.Context) {
+	provider := ctx.Params(":provider")
+
+	authSource, err := auth.GetActiveOAuth2SourceByName(provider)
+	if err != nil {
+		ctx.ServerError("SignIn", err)
+		return
+	}
+
+	// try to do a direct callback flow, so we don't authenticate the user again but use the valid accesstoken to get the user
+	user, gothUser, err := oAuth2UserLoginCallback(authSource, ctx.Req, ctx.Resp)
+	if err == nil && user != nil {
+		// we got the user without going through the whole OAuth2 authentication flow again
+		handleOAuth2SignIn(ctx, authSource, user, gothUser)
+		return
+	}
+
+	if err = authSource.Cfg.(*oauth2.Source).Callout(ctx.Req, ctx.Resp); err != nil {
+		if strings.Contains(err.Error(), "no provider for ") {
+			if err = oauth2.ResetOAuth2(); err != nil {
+				ctx.ServerError("SignIn", err)
+				return
+			}
+			if err = authSource.Cfg.(*oauth2.Source).Callout(ctx.Req, ctx.Resp); err != nil {
+				ctx.ServerError("SignIn", err)
+			}
+			return
+		}
+		ctx.ServerError("SignIn", err)
+	}
+	// redirect is done in oauth2.Auth
+}
+
+// SignInOAuthCallback handles the callback from the given provider
+func SignInOAuthCallback(ctx *context.Context) {
+	provider := ctx.Params(":provider")
+
+	// first look if the provider is still active
+	authSource, err := auth.GetActiveOAuth2SourceByName(provider)
+	if err != nil {
+		ctx.ServerError("SignIn", err)
+		return
+	}
+
+	if authSource == nil {
+		ctx.ServerError("SignIn", errors.New("No valid provider found, check configured callback url in provider"))
+		return
+	}
+
+	u, gothUser, err := oAuth2UserLoginCallback(authSource, ctx.Req, ctx.Resp)
+
+	if err != nil {
+		if user_model.IsErrUserProhibitLogin(err) {
+			uplerr := err.(*user_model.ErrUserProhibitLogin)
+			log.Info("Failed authentication attempt for %s from %s: %v", uplerr.Name, ctx.RemoteAddr(), err)
+			ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+			ctx.HTML(http.StatusOK, "user/auth/prohibit_login")
+			return
+		}
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+
+	if u == nil {
+		if !setting.Service.AllowOnlyInternalRegistration && setting.OAuth2Client.EnableAutoRegistration {
+			// create new user with details from oauth2 provider
+			var missingFields []string
+			if gothUser.UserID == "" {
+				missingFields = append(missingFields, "sub")
+			}
+			if gothUser.Email == "" {
+				missingFields = append(missingFields, "email")
+			}
+			if setting.OAuth2Client.Username == setting.OAuth2UsernameNickname && gothUser.NickName == "" {
+				missingFields = append(missingFields, "nickname")
+			}
+			if len(missingFields) > 0 {
+				log.Error("OAuth2 Provider %s returned empty or missing fields: %s", authSource.Name, missingFields)
+				if authSource.IsOAuth2() && authSource.Cfg.(*oauth2.Source).Provider == "openidConnect" {
+					log.Error("You may need to change the 'OPENID_CONNECT_SCOPES' setting to request all required fields")
+				}
+				err = fmt.Errorf("OAuth2 Provider %s returned empty or missing fields: %s", authSource.Name, missingFields)
+				ctx.ServerError("CreateUser", err)
+				return
+			}
+			u = &user_model.User{
+				Name:         getUserName(&gothUser),
+				FullName:     gothUser.Name,
+				Email:        gothUser.Email,
+				IsActive:     !setting.OAuth2Client.RegisterEmailConfirm,
+				LoginType:    auth.OAuth2,
+				LoginSource:  authSource.ID,
+				LoginName:    gothUser.UserID,
+				IsRestricted: setting.Service.DefaultUserIsRestricted,
+			}
+
+			setUserGroupClaims(authSource, u, &gothUser)
+
+			if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, &gothUser, setting.OAuth2Client.AccountLinking != setting.OAuth2AccountLinkingDisabled) {
+				// error already handled
+				return
+			}
+		} else {
+			// no existing user is found, request attach or new account
+			showLinkingLogin(ctx, gothUser)
+			return
+		}
+	}
+
+	handleOAuth2SignIn(ctx, authSource, u, gothUser)
+}
+
+func claimValueToStringSlice(claimValue interface{}) []string {
+	var groups []string
+
+	switch rawGroup := claimValue.(type) {
+	case []string:
+		groups = rawGroup
+	default:
+		str := fmt.Sprintf("%s", rawGroup)
+		groups = strings.Split(str, ",")
+	}
+	return groups
+}
+
+func setUserGroupClaims(loginSource *auth.Source, u *user_model.User, gothUser *goth.User) bool {
+	source := loginSource.Cfg.(*oauth2.Source)
+	if source.GroupClaimName == "" || (source.AdminGroup == "" && source.RestrictedGroup == "") {
+		return false
+	}
+
+	groupClaims, has := gothUser.RawData[source.GroupClaimName]
+	if !has {
+		return false
+	}
+
+	groups := claimValueToStringSlice(groupClaims)
+
+	wasAdmin, wasRestricted := u.IsAdmin, u.IsRestricted
+
+	if source.AdminGroup != "" {
+		u.IsAdmin = false
+	}
+	if source.RestrictedGroup != "" {
+		u.IsRestricted = false
+	}
+
+	for _, g := range groups {
+		if source.AdminGroup != "" && g == source.AdminGroup {
+			u.IsAdmin = true
+		} else if source.RestrictedGroup != "" && g == source.RestrictedGroup {
+			u.IsRestricted = true
+		}
+	}
+
+	return wasAdmin != u.IsAdmin || wasRestricted != u.IsRestricted
+}
+
+func showLinkingLogin(ctx *context.Context, gothUser goth.User) {
+	if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+		ctx.ServerError("RegenerateSession", err)
+		return
+	}
+
+	if err := ctx.Session.Set("linkAccountGothUser", gothUser); err != nil {
+		log.Error("Error setting linkAccountGothUser in session: %v", err)
+	}
+	if err := ctx.Session.Release(); err != nil {
+		log.Error("Error storing session: %v", err)
+	}
+	ctx.Redirect(setting.AppSubURL + "/user/link_account")
+}
+
+func updateAvatarIfNeed(url string, u *user_model.User) {
+	if setting.OAuth2Client.UpdateAvatar && len(url) > 0 {
+		resp, err := http.Get(url)
+		if err == nil {
+			defer func() {
+				_ = resp.Body.Close()
+			}()
+		}
+		// ignore any error
+		if err == nil && resp.StatusCode == http.StatusOK {
+			data, err := io.ReadAll(io.LimitReader(resp.Body, setting.Avatar.MaxFileSize+1))
+			if err == nil && int64(len(data)) <= setting.Avatar.MaxFileSize {
+				_ = user_service.UploadAvatar(u, data)
+			}
+		}
+	}
+}
+
+func handleOAuth2SignIn(ctx *context.Context, source *auth.Source, u *user_model.User, gothUser goth.User) {
+	updateAvatarIfNeed(gothUser.AvatarURL, u)
+
+	needs2FA := false
+	if !source.Cfg.(*oauth2.Source).SkipLocalTwoFA {
+		_, err := auth.GetTwoFactorByUID(u.ID)
+		if err != nil && !auth.IsErrTwoFactorNotEnrolled(err) {
+			ctx.ServerError("UserSignIn", err)
+			return
+		}
+		needs2FA = err == nil
+	}
+
+	// If this user is enrolled in 2FA and this source doesn't override it,
+	// we can't sign the user in just yet. Instead, redirect them to the 2FA authentication page.
+	if !needs2FA {
+		if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+			ctx.ServerError("RegenerateSession", err)
+			return
+		}
+
+		if err := ctx.Session.Set("uid", u.ID); err != nil {
+			log.Error("Error setting uid in session: %v", err)
+		}
+		if err := ctx.Session.Set("uname", u.Name); err != nil {
+			log.Error("Error setting uname in session: %v", err)
+		}
+		if err := ctx.Session.Release(); err != nil {
+			log.Error("Error storing session: %v", err)
+		}
+
+		// Clear whatever CSRF has right now, force to generate a new one
+		middleware.DeleteCSRFCookie(ctx.Resp)
+
+		// Register last login
+		u.SetLastLogin()
+
+		// Update GroupClaims
+		changed := setUserGroupClaims(source, u, &gothUser)
+		cols := []string{"last_login_unix"}
+		if changed {
+			cols = append(cols, "is_admin", "is_restricted")
+		}
+
+		if err := user_model.UpdateUserCols(db.DefaultContext, u, cols...); err != nil {
+			ctx.ServerError("UpdateUserCols", err)
+			return
+		}
+
+		// update external user information
+		if err := externalaccount.UpdateExternalUser(u, gothUser); err != nil {
+			log.Error("UpdateExternalUser failed: %v", err)
+		}
+
+		if err := resetLocale(ctx, u); err != nil {
+			ctx.ServerError("resetLocale", err)
+			return
+		}
+
+		if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 {
+			middleware.DeleteRedirectToCookie(ctx.Resp)
+			ctx.RedirectToFirst(redirectTo)
+			return
+		}
+
+		ctx.Redirect(setting.AppSubURL + "/")
+		return
+	}
+
+	changed := setUserGroupClaims(source, u, &gothUser)
+	if changed {
+		if err := user_model.UpdateUserCols(db.DefaultContext, u, "is_admin", "is_restricted"); err != nil {
+			ctx.ServerError("UpdateUserCols", err)
+			return
+		}
+	}
+
+	if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+		ctx.ServerError("RegenerateSession", err)
+		return
+	}
+
+	// User needs to use 2FA, save data and redirect to 2FA page.
+	if err := ctx.Session.Set("twofaUid", u.ID); err != nil {
+		log.Error("Error setting twofaUid in session: %v", err)
+	}
+	if err := ctx.Session.Set("twofaRemember", false); err != nil {
+		log.Error("Error setting twofaRemember in session: %v", err)
+	}
+	if err := ctx.Session.Release(); err != nil {
+		log.Error("Error storing session: %v", err)
+	}
+
+	// If U2F is enrolled -> Redirect to U2F instead
+	regs, err := auth.GetU2FRegistrationsByUID(u.ID)
+	if err == nil && len(regs) > 0 {
+		ctx.Redirect(setting.AppSubURL + "/user/u2f")
+		return
+	}
+
+	ctx.Redirect(setting.AppSubURL + "/user/two_factor")
+}
+
+// OAuth2UserLoginCallback attempts to handle the callback from the OAuth2 provider and if successful
+// login the user
+func oAuth2UserLoginCallback(authSource *auth.Source, request *http.Request, response http.ResponseWriter) (*user_model.User, goth.User, error) {
+	oauth2Source := authSource.Cfg.(*oauth2.Source)
+
+	gothUser, err := oauth2Source.Callback(request, response)
+	if err != nil {
+		if err.Error() == "securecookie: the value is too long" || strings.Contains(err.Error(), "Data too long") {
+			log.Error("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", authSource.Name, setting.OAuth2.MaxTokenLength)
+			err = fmt.Errorf("OAuth2 Provider %s returned too long a token. Current max: %d. Either increase the [OAuth2] MAX_TOKEN_LENGTH or reduce the information returned from the OAuth2 provider", authSource.Name, setting.OAuth2.MaxTokenLength)
+		}
+		return nil, goth.User{}, err
+	}
+
+	if oauth2Source.RequiredClaimName != "" {
+		claimInterface, has := gothUser.RawData[oauth2Source.RequiredClaimName]
+		if !has {
+			return nil, goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID}
+		}
+
+		if oauth2Source.RequiredClaimValue != "" {
+			groups := claimValueToStringSlice(claimInterface)
+			found := false
+			for _, group := range groups {
+				if group == oauth2Source.RequiredClaimValue {
+					found = true
+					break
+				}
+			}
+			if !found {
+				return nil, goth.User{}, user_model.ErrUserProhibitLogin{Name: gothUser.UserID}
+			}
+		}
+	}
+
+	user := &user_model.User{
+		LoginName:   gothUser.UserID,
+		LoginType:   auth.OAuth2,
+		LoginSource: authSource.ID,
+	}
+
+	hasUser, err := user_model.GetUser(user)
+	if err != nil {
+		return nil, goth.User{}, err
+	}
+
+	if hasUser {
+		return user, gothUser, nil
+	}
+
+	// search in external linked users
+	externalLoginUser := &user_model.ExternalLoginUser{
+		ExternalID:    gothUser.UserID,
+		LoginSourceID: authSource.ID,
+	}
+	hasUser, err = user_model.GetExternalLogin(externalLoginUser)
+	if err != nil {
+		return nil, goth.User{}, err
+	}
+	if hasUser {
+		user, err = user_model.GetUserByID(externalLoginUser.UserID)
+		return user, gothUser, err
+	}
+
+	// no user found to login
+	return nil, gothUser, nil
+
+}
diff --git a/routers/web/auth/oauth_test.go b/routers/web/auth/oauth_test.go
new file mode 100644
index 0000000000..c652d901f3
--- /dev/null
+++ b/routers/web/auth/oauth_test.go
@@ -0,0 +1,76 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/services/auth/source/oauth2"
+
+	"github.com/golang-jwt/jwt"
+	"github.com/stretchr/testify/assert"
+)
+
+func createAndParseToken(t *testing.T, grant *auth.OAuth2Grant) *oauth2.OIDCToken {
+	signingKey, err := oauth2.CreateJWTSigningKey("HS256", make([]byte, 32))
+	assert.NoError(t, err)
+	assert.NotNil(t, signingKey)
+
+	response, terr := newAccessTokenResponse(grant, signingKey, signingKey)
+	assert.Nil(t, terr)
+	assert.NotNil(t, response)
+
+	parsedToken, err := jwt.ParseWithClaims(response.IDToken, &oauth2.OIDCToken{}, func(token *jwt.Token) (interface{}, error) {
+		assert.NotNil(t, token.Method)
+		assert.Equal(t, signingKey.SigningMethod().Alg(), token.Method.Alg())
+		return signingKey.VerifyKey(), nil
+	})
+	assert.NoError(t, err)
+	assert.True(t, parsedToken.Valid)
+
+	oidcToken, ok := parsedToken.Claims.(*oauth2.OIDCToken)
+	assert.True(t, ok)
+	assert.NotNil(t, oidcToken)
+
+	return oidcToken
+}
+
+func TestNewAccessTokenResponse_OIDCToken(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+
+	grants, err := auth.GetOAuth2GrantsByUserID(3)
+	assert.NoError(t, err)
+	assert.Len(t, grants, 1)
+
+	// Scopes: openid
+	oidcToken := createAndParseToken(t, grants[0])
+	assert.Empty(t, oidcToken.Name)
+	assert.Empty(t, oidcToken.PreferredUsername)
+	assert.Empty(t, oidcToken.Profile)
+	assert.Empty(t, oidcToken.Picture)
+	assert.Empty(t, oidcToken.Website)
+	assert.Empty(t, oidcToken.UpdatedAt)
+	assert.Empty(t, oidcToken.Email)
+	assert.False(t, oidcToken.EmailVerified)
+
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5}).(*user_model.User)
+	grants, err = auth.GetOAuth2GrantsByUserID(user.ID)
+	assert.NoError(t, err)
+	assert.Len(t, grants, 1)
+
+	// Scopes: openid profile email
+	oidcToken = createAndParseToken(t, grants[0])
+	assert.Equal(t, user.FullName, oidcToken.Name)
+	assert.Equal(t, user.Name, oidcToken.PreferredUsername)
+	assert.Equal(t, user.HTMLURL(), oidcToken.Profile)
+	assert.Equal(t, user.AvatarLink(), oidcToken.Picture)
+	assert.Equal(t, user.Website, oidcToken.Website)
+	assert.Equal(t, user.UpdatedUnix, oidcToken.UpdatedAt)
+	assert.Equal(t, user.Email, oidcToken.Email)
+	assert.Equal(t, user.IsActive, oidcToken.EmailVerified)
+}
diff --git a/routers/web/auth/openid.go b/routers/web/auth/openid.go
new file mode 100644
index 0000000000..4395641795
--- /dev/null
+++ b/routers/web/auth/openid.go
@@ -0,0 +1,457 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/auth/openid"
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/hcaptcha"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/recaptcha"
+	"code.gitea.io/gitea/modules/session"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
+	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/modules/web/middleware"
+	"code.gitea.io/gitea/services/auth"
+	"code.gitea.io/gitea/services/forms"
+)
+
+const (
+	tplSignInOpenID base.TplName = "user/auth/signin_openid"
+	tplConnectOID   base.TplName = "user/auth/signup_openid_connect"
+	tplSignUpOID    base.TplName = "user/auth/signup_openid_register"
+)
+
+// SignInOpenID render sign in page
+func SignInOpenID(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("sign_in")
+
+	if ctx.FormString("openid.return_to") != "" {
+		signInOpenIDVerify(ctx)
+		return
+	}
+
+	// Check auto-login.
+	isSucceed, err := AutoSignIn(ctx)
+	if err != nil {
+		ctx.ServerError("AutoSignIn", err)
+		return
+	}
+
+	redirectTo := ctx.FormString("redirect_to")
+	if len(redirectTo) > 0 {
+		middleware.SetRedirectToCookie(ctx.Resp, redirectTo)
+	} else {
+		redirectTo = ctx.GetCookie("redirect_to")
+	}
+
+	if isSucceed {
+		middleware.DeleteRedirectToCookie(ctx.Resp)
+		ctx.RedirectToFirst(redirectTo)
+		return
+	}
+
+	ctx.Data["PageIsSignIn"] = true
+	ctx.Data["PageIsLoginOpenID"] = true
+	ctx.HTML(http.StatusOK, tplSignInOpenID)
+}
+
+// Check if the given OpenID URI is allowed by blacklist/whitelist
+func allowedOpenIDURI(uri string) (err error) {
+
+	// In case a Whitelist is present, URI must be in it
+	// in order to be accepted
+	if len(setting.Service.OpenIDWhitelist) != 0 {
+		for _, pat := range setting.Service.OpenIDWhitelist {
+			if pat.MatchString(uri) {
+				return nil // pass
+			}
+		}
+		// must match one of this or be refused
+		return fmt.Errorf("URI not allowed by whitelist")
+	}
+
+	// A blacklist match expliclty forbids
+	for _, pat := range setting.Service.OpenIDBlacklist {
+		if pat.MatchString(uri) {
+			return fmt.Errorf("URI forbidden by blacklist")
+		}
+	}
+
+	return nil
+}
+
+// SignInOpenIDPost response for openid sign in request
+func SignInOpenIDPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.SignInOpenIDForm)
+	ctx.Data["Title"] = ctx.Tr("sign_in")
+	ctx.Data["PageIsSignIn"] = true
+	ctx.Data["PageIsLoginOpenID"] = true
+
+	if ctx.HasError() {
+		ctx.HTML(http.StatusOK, tplSignInOpenID)
+		return
+	}
+
+	id, err := openid.Normalize(form.Openid)
+	if err != nil {
+		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)
+		return
+	}
+	form.Openid = id
+
+	log.Trace("OpenID uri: " + id)
+
+	err = allowedOpenIDURI(id)
+	if err != nil {
+		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)
+		return
+	}
+
+	redirectTo := setting.AppURL + "user/login/openid"
+	url, err := openid.RedirectURL(id, redirectTo, setting.AppURL)
+	if err != nil {
+		log.Error("Error in OpenID redirect URL: %s, %v", redirectTo, err.Error())
+		ctx.RenderWithErr(fmt.Sprintf("Unable to find OpenID provider in %s", redirectTo), tplSignInOpenID, &form)
+		return
+	}
+
+	// Request optional nickname and email info
+	// NOTE: change to `openid.sreg.required` to require it
+	url += "&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1"
+	url += "&openid.sreg.optional=nickname%2Cemail"
+
+	log.Trace("Form-passed openid-remember: %t", form.Remember)
+
+	if err := ctx.Session.Set("openid_signin_remember", form.Remember); err != nil {
+		log.Error("SignInOpenIDPost: Could not set openid_signin_remember in session: %v", err)
+	}
+	if err := ctx.Session.Release(); err != nil {
+		log.Error("SignInOpenIDPost: Unable to save changes to the session: %v", err)
+	}
+
+	ctx.Redirect(url)
+}
+
+// signInOpenIDVerify handles response from OpenID provider
+func signInOpenIDVerify(ctx *context.Context) {
+
+	log.Trace("Incoming call to: %s", ctx.Req.URL.String())
+
+	fullURL := setting.AppURL + ctx.Req.URL.String()[1:]
+	log.Trace("Full URL: %s", fullURL)
+
+	var id, err = openid.Verify(fullURL)
+	if err != nil {
+		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{
+			Openid: id,
+		})
+		return
+	}
+
+	log.Trace("Verified ID: %s", id)
+
+	/* Now we should seek for the user and log him in, or prompt
+	 * to register if not found */
+
+	u, err := user_model.GetUserByOpenID(id)
+	if err != nil {
+		if !user_model.IsErrUserNotExist(err) {
+			ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{
+				Openid: id,
+			})
+			return
+		}
+		log.Error("signInOpenIDVerify: %v", err)
+	}
+	if u != nil {
+		log.Trace("User exists, logging in")
+		remember, _ := ctx.Session.Get("openid_signin_remember").(bool)
+		log.Trace("Session stored openid-remember: %t", remember)
+		handleSignIn(ctx, u, remember)
+		return
+	}
+
+	log.Trace("User with openid: %s does not exist, should connect or register", id)
+
+	parsedURL, err := url.Parse(fullURL)
+	if err != nil {
+		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{
+			Openid: id,
+		})
+		return
+	}
+	values, err := url.ParseQuery(parsedURL.RawQuery)
+	if err != nil {
+		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{
+			Openid: id,
+		})
+		return
+	}
+	email := values.Get("openid.sreg.email")
+	nickname := values.Get("openid.sreg.nickname")
+
+	log.Trace("User has email=%s and nickname=%s", email, nickname)
+
+	if email != "" {
+		u, err = user_model.GetUserByEmail(email)
+		if err != nil {
+			if !user_model.IsErrUserNotExist(err) {
+				ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{
+					Openid: id,
+				})
+				return
+			}
+			log.Error("signInOpenIDVerify: %v", err)
+		}
+		if u != nil {
+			log.Trace("Local user %s has OpenID provided email %s", u.LowerName, email)
+		}
+	}
+
+	if u == nil && nickname != "" {
+		u, _ = user_model.GetUserByName(nickname)
+		if err != nil {
+			if !user_model.IsErrUserNotExist(err) {
+				ctx.RenderWithErr(err.Error(), tplSignInOpenID, &forms.SignInOpenIDForm{
+					Openid: id,
+				})
+				return
+			}
+		}
+		if u != nil {
+			log.Trace("Local user %s has OpenID provided nickname %s", u.LowerName, nickname)
+		}
+	}
+
+	if _, err := session.RegenerateSession(ctx.Resp, ctx.Req); err != nil {
+		ctx.ServerError("RegenerateSession", err)
+		return
+	}
+
+	if err := ctx.Session.Set("openid_verified_uri", id); err != nil {
+		log.Error("signInOpenIDVerify: Could not set openid_verified_uri in session: %v", err)
+	}
+	if err := ctx.Session.Set("openid_determined_email", email); err != nil {
+		log.Error("signInOpenIDVerify: Could not set openid_determined_email in session: %v", err)
+	}
+
+	if u != nil {
+		nickname = u.LowerName
+	}
+
+	if err := ctx.Session.Set("openid_determined_username", nickname); err != nil {
+		log.Error("signInOpenIDVerify: Could not set openid_determined_username in session: %v", err)
+	}
+	if err := ctx.Session.Release(); err != nil {
+		log.Error("signInOpenIDVerify: Unable to save changes to the session: %v", err)
+	}
+
+	if u != nil || !setting.Service.EnableOpenIDSignUp || setting.Service.AllowOnlyInternalRegistration {
+		ctx.Redirect(setting.AppSubURL + "/user/openid/connect")
+	} else {
+		ctx.Redirect(setting.AppSubURL + "/user/openid/register")
+	}
+}
+
+// ConnectOpenID shows a form to connect an OpenID URI to an existing account
+func ConnectOpenID(ctx *context.Context) {
+	oid, _ := ctx.Session.Get("openid_verified_uri").(string)
+	if oid == "" {
+		ctx.Redirect(setting.AppSubURL + "/user/login/openid")
+		return
+	}
+	ctx.Data["Title"] = "OpenID connect"
+	ctx.Data["PageIsSignIn"] = true
+	ctx.Data["PageIsOpenIDConnect"] = true
+	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
+	ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
+	ctx.Data["OpenID"] = oid
+	userName, _ := ctx.Session.Get("openid_determined_username").(string)
+	if userName != "" {
+		ctx.Data["user_name"] = userName
+	}
+	ctx.HTML(http.StatusOK, tplConnectOID)
+}
+
+// ConnectOpenIDPost handles submission of a form to connect an OpenID URI to an existing account
+func ConnectOpenIDPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.ConnectOpenIDForm)
+	oid, _ := ctx.Session.Get("openid_verified_uri").(string)
+	if oid == "" {
+		ctx.Redirect(setting.AppSubURL + "/user/login/openid")
+		return
+	}
+	ctx.Data["Title"] = "OpenID connect"
+	ctx.Data["PageIsSignIn"] = true
+	ctx.Data["PageIsOpenIDConnect"] = true
+	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
+	ctx.Data["OpenID"] = oid
+
+	u, _, err := auth.UserSignIn(form.UserName, form.Password)
+	if err != nil {
+		if user_model.IsErrUserNotExist(err) {
+			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplConnectOID, &form)
+		} else {
+			ctx.ServerError("ConnectOpenIDPost", err)
+		}
+		return
+	}
+
+	// add OpenID for the user
+	userOID := &user_model.UserOpenID{UID: u.ID, URI: oid}
+	if err = user_model.AddUserOpenID(userOID); err != nil {
+		if user_model.IsErrOpenIDAlreadyUsed(err) {
+			ctx.RenderWithErr(ctx.Tr("form.openid_been_used", oid), tplConnectOID, &form)
+			return
+		}
+		ctx.ServerError("AddUserOpenID", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("settings.add_openid_success"))
+
+	remember, _ := ctx.Session.Get("openid_signin_remember").(bool)
+	log.Trace("Session stored openid-remember: %t", remember)
+	handleSignIn(ctx, u, remember)
+}
+
+// RegisterOpenID shows a form to create a new user authenticated via an OpenID URI
+func RegisterOpenID(ctx *context.Context) {
+	oid, _ := ctx.Session.Get("openid_verified_uri").(string)
+	if oid == "" {
+		ctx.Redirect(setting.AppSubURL + "/user/login/openid")
+		return
+	}
+	ctx.Data["Title"] = "OpenID signup"
+	ctx.Data["PageIsSignIn"] = true
+	ctx.Data["PageIsOpenIDRegister"] = true
+	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
+	ctx.Data["AllowOnlyInternalRegistration"] = setting.Service.AllowOnlyInternalRegistration
+	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
+	ctx.Data["Captcha"] = context.GetImageCaptcha()
+	ctx.Data["CaptchaType"] = setting.Service.CaptchaType
+	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
+	ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
+	ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
+	ctx.Data["OpenID"] = oid
+	userName, _ := ctx.Session.Get("openid_determined_username").(string)
+	if userName != "" {
+		ctx.Data["user_name"] = userName
+	}
+	email, _ := ctx.Session.Get("openid_determined_email").(string)
+	if email != "" {
+		ctx.Data["email"] = email
+	}
+	ctx.HTML(http.StatusOK, tplSignUpOID)
+}
+
+// RegisterOpenIDPost handles submission of a form to create a new user authenticated via an OpenID URI
+func RegisterOpenIDPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.SignUpOpenIDForm)
+	oid, _ := ctx.Session.Get("openid_verified_uri").(string)
+	if oid == "" {
+		ctx.Redirect(setting.AppSubURL + "/user/login/openid")
+		return
+	}
+
+	ctx.Data["Title"] = "OpenID signup"
+	ctx.Data["PageIsSignIn"] = true
+	ctx.Data["PageIsOpenIDRegister"] = true
+	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp
+	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha
+	ctx.Data["RecaptchaURL"] = setting.Service.RecaptchaURL
+	ctx.Data["Captcha"] = context.GetImageCaptcha()
+	ctx.Data["CaptchaType"] = setting.Service.CaptchaType
+	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey
+	ctx.Data["HcaptchaSitekey"] = setting.Service.HcaptchaSitekey
+	ctx.Data["OpenID"] = oid
+
+	if setting.Service.AllowOnlyInternalRegistration {
+		ctx.Error(http.StatusForbidden)
+		return
+	}
+
+	if setting.Service.EnableCaptcha {
+		var valid bool
+		var err error
+		switch setting.Service.CaptchaType {
+		case setting.ImageCaptcha:
+			valid = context.GetImageCaptcha().VerifyReq(ctx.Req)
+		case setting.ReCaptcha:
+			if err := ctx.Req.ParseForm(); err != nil {
+				ctx.ServerError("", err)
+				return
+			}
+			valid, err = recaptcha.Verify(ctx, form.GRecaptchaResponse)
+		case setting.HCaptcha:
+			if err := ctx.Req.ParseForm(); err != nil {
+				ctx.ServerError("", err)
+				return
+			}
+			valid, err = hcaptcha.Verify(ctx, form.HcaptchaResponse)
+		default:
+			ctx.ServerError("Unknown Captcha Type", fmt.Errorf("Unknown Captcha Type: %s", setting.Service.CaptchaType))
+			return
+		}
+		if err != nil {
+			log.Debug("%s", err.Error())
+		}
+
+		if !valid {
+			ctx.Data["Err_Captcha"] = true
+			ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplSignUpOID, &form)
+			return
+		}
+	}
+
+	length := setting.MinPasswordLength
+	if length < 256 {
+		length = 256
+	}
+	password, err := util.RandomString(int64(length))
+	if err != nil {
+		ctx.RenderWithErr(err.Error(), tplSignUpOID, form)
+		return
+	}
+
+	u := &user_model.User{
+		Name:     form.UserName,
+		Email:    form.Email,
+		Passwd:   password,
+		IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
+	}
+	if !createUserInContext(ctx, tplSignUpOID, form, u, nil, false) {
+		// error already handled
+		return
+	}
+
+	// add OpenID for the user
+	userOID := &user_model.UserOpenID{UID: u.ID, URI: oid}
+	if err = user_model.AddUserOpenID(userOID); err != nil {
+		if user_model.IsErrOpenIDAlreadyUsed(err) {
+			ctx.RenderWithErr(ctx.Tr("form.openid_been_used", oid), tplSignUpOID, &form)
+			return
+		}
+		ctx.ServerError("AddUserOpenID", err)
+		return
+	}
+
+	if !handleUserCreated(ctx, u, nil) {
+		// error already handled
+		return
+	}
+
+	remember, _ := ctx.Session.Get("openid_signin_remember").(bool)
+	log.Trace("Session stored openid-remember: %t", remember)
+	handleSignIn(ctx, u, remember)
+}
diff --git a/routers/web/auth/password.go b/routers/web/auth/password.go
new file mode 100644
index 0000000000..65d5c55976
--- /dev/null
+++ b/routers/web/auth/password.go
@@ -0,0 +1,346 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+	"errors"
+	"net/http"
+
+	"code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/models/db"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/password"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/modules/web/middleware"
+	"code.gitea.io/gitea/routers/utils"
+	"code.gitea.io/gitea/services/forms"
+	"code.gitea.io/gitea/services/mailer"
+)
+
+var (
+	// tplMustChangePassword template for updating a user's password
+	tplMustChangePassword base.TplName = "user/auth/change_passwd"
+	tplForgotPassword     base.TplName = "user/auth/forgot_passwd"
+	tplResetPassword      base.TplName = "user/auth/reset_passwd"
+)
+
+// ForgotPasswd render the forget password page
+func ForgotPasswd(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("auth.forgot_password_title")
+
+	if setting.MailService == nil {
+		log.Warn(ctx.Tr("auth.disable_forgot_password_mail_admin"))
+		ctx.Data["IsResetDisable"] = true
+		ctx.HTML(http.StatusOK, tplForgotPassword)
+		return
+	}
+
+	ctx.Data["Email"] = ctx.FormString("email")
+
+	ctx.Data["IsResetRequest"] = true
+	ctx.HTML(http.StatusOK, tplForgotPassword)
+}
+
+// ForgotPasswdPost response for forget password request
+func ForgotPasswdPost(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("auth.forgot_password_title")
+
+	if setting.MailService == nil {
+		ctx.NotFound("ForgotPasswdPost", nil)
+		return
+	}
+	ctx.Data["IsResetRequest"] = true
+
+	email := ctx.FormString("email")
+	ctx.Data["Email"] = email
+
+	u, err := user_model.GetUserByEmail(email)
+	if err != nil {
+		if user_model.IsErrUserNotExist(err) {
+			ctx.Data["ResetPwdCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ResetPwdCodeLives, ctx.Locale.Language())
+			ctx.Data["IsResetSent"] = true
+			ctx.HTML(http.StatusOK, tplForgotPassword)
+			return
+		}
+
+		ctx.ServerError("user.ResetPasswd(check existence)", err)
+		return
+	}
+
+	if !u.IsLocal() && !u.IsOAuth2() {
+		ctx.Data["Err_Email"] = true
+		ctx.RenderWithErr(ctx.Tr("auth.non_local_account"), tplForgotPassword, nil)
+		return
+	}
+
+	if ctx.Cache.IsExist("MailResendLimit_" + u.LowerName) {
+		ctx.Data["ResendLimited"] = true
+		ctx.HTML(http.StatusOK, tplForgotPassword)
+		return
+	}
+
+	mailer.SendResetPasswordMail(u)
+
+	if err = ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {
+		log.Error("Set cache(MailResendLimit) fail: %v", err)
+	}
+
+	ctx.Data["ResetPwdCodeLives"] = timeutil.MinutesToFriendly(setting.Service.ResetPwdCodeLives, ctx.Locale.Language())
+	ctx.Data["IsResetSent"] = true
+	ctx.HTML(http.StatusOK, tplForgotPassword)
+}
+
+func commonResetPassword(ctx *context.Context) (*user_model.User, *auth.TwoFactor) {
+	code := ctx.FormString("code")
+
+	ctx.Data["Title"] = ctx.Tr("auth.reset_password")
+	ctx.Data["Code"] = code
+
+	if nil != ctx.User {
+		ctx.Data["user_signed_in"] = true
+	}
+
+	if len(code) == 0 {
+		ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
+		return nil, nil
+	}
+
+	// Fail early, don't frustrate the user
+	u := user_model.VerifyUserActiveCode(code)
+	if u == nil {
+		ctx.Flash.Error(ctx.Tr("auth.invalid_code"))
+		return nil, nil
+	}
+
+	twofa, err := auth.GetTwoFactorByUID(u.ID)
+	if err != nil {
+		if !auth.IsErrTwoFactorNotEnrolled(err) {
+			ctx.Error(http.StatusInternalServerError, "CommonResetPassword", err.Error())
+			return nil, nil
+		}
+	} else {
+		ctx.Data["has_two_factor"] = true
+		ctx.Data["scratch_code"] = ctx.FormBool("scratch_code")
+	}
+
+	// Show the user that they are affecting the account that they intended to
+	ctx.Data["user_email"] = u.Email
+
+	if nil != ctx.User && u.ID != ctx.User.ID {
+		ctx.Flash.Error(ctx.Tr("auth.reset_password_wrong_user", ctx.User.Email, u.Email))
+		return nil, nil
+	}
+
+	return u, twofa
+}
+
+// ResetPasswd render the account recovery page
+func ResetPasswd(ctx *context.Context) {
+	ctx.Data["IsResetForm"] = true
+
+	commonResetPassword(ctx)
+	if ctx.Written() {
+		return
+	}
+
+	ctx.HTML(http.StatusOK, tplResetPassword)
+}
+
+// ResetPasswdPost response from account recovery request
+func ResetPasswdPost(ctx *context.Context) {
+	u, twofa := commonResetPassword(ctx)
+	if ctx.Written() {
+		return
+	}
+
+	if u == nil {
+		// Flash error has been set
+		ctx.HTML(http.StatusOK, tplResetPassword)
+		return
+	}
+
+	// Validate password length.
+	passwd := ctx.FormString("password")
+	if len(passwd) < setting.MinPasswordLength {
+		ctx.Data["IsResetForm"] = true
+		ctx.Data["Err_Password"] = true
+		ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplResetPassword, nil)
+		return
+	} else if !password.IsComplexEnough(passwd) {
+		ctx.Data["IsResetForm"] = true
+		ctx.Data["Err_Password"] = true
+		ctx.RenderWithErr(password.BuildComplexityError(ctx), tplResetPassword, nil)
+		return
+	} else if pwned, err := password.IsPwned(ctx, passwd); pwned || err != nil {
+		errMsg := ctx.Tr("auth.password_pwned")
+		if err != nil {
+			log.Error(err.Error())
+			errMsg = ctx.Tr("auth.password_pwned_err")
+		}
+		ctx.Data["IsResetForm"] = true
+		ctx.Data["Err_Password"] = true
+		ctx.RenderWithErr(errMsg, tplResetPassword, nil)
+		return
+	}
+
+	// Handle two-factor
+	regenerateScratchToken := false
+	if twofa != nil {
+		if ctx.FormBool("scratch_code") {
+			if !twofa.VerifyScratchToken(ctx.FormString("token")) {
+				ctx.Data["IsResetForm"] = true
+				ctx.Data["Err_Token"] = true
+				ctx.RenderWithErr(ctx.Tr("auth.twofa_scratch_token_incorrect"), tplResetPassword, nil)
+				return
+			}
+			regenerateScratchToken = true
+		} else {
+			passcode := ctx.FormString("passcode")
+			ok, err := twofa.ValidateTOTP(passcode)
+			if err != nil {
+				ctx.Error(http.StatusInternalServerError, "ValidateTOTP", err.Error())
+				return
+			}
+			if !ok || twofa.LastUsedPasscode == passcode {
+				ctx.Data["IsResetForm"] = true
+				ctx.Data["Err_Passcode"] = true
+				ctx.RenderWithErr(ctx.Tr("auth.twofa_passcode_incorrect"), tplResetPassword, nil)
+				return
+			}
+
+			twofa.LastUsedPasscode = passcode
+			if err = auth.UpdateTwoFactor(twofa); err != nil {
+				ctx.ServerError("ResetPasswdPost: UpdateTwoFactor", err)
+				return
+			}
+		}
+	}
+	var err error
+	if u.Rands, err = user_model.GetUserSalt(); err != nil {
+		ctx.ServerError("UpdateUser", err)
+		return
+	}
+	if err = u.SetPassword(passwd); err != nil {
+		ctx.ServerError("UpdateUser", err)
+		return
+	}
+	u.MustChangePassword = false
+	if err := user_model.UpdateUserCols(db.DefaultContext, u, "must_change_password", "passwd", "passwd_hash_algo", "rands", "salt"); err != nil {
+		ctx.ServerError("UpdateUser", err)
+		return
+	}
+
+	log.Trace("User password reset: %s", u.Name)
+	ctx.Data["IsResetFailed"] = true
+	remember := len(ctx.FormString("remember")) != 0
+
+	if regenerateScratchToken {
+		// Invalidate the scratch token.
+		_, err = twofa.GenerateScratchToken()
+		if err != nil {
+			ctx.ServerError("UserSignIn", err)
+			return
+		}
+		if err = auth.UpdateTwoFactor(twofa); err != nil {
+			ctx.ServerError("UserSignIn", err)
+			return
+		}
+
+		handleSignInFull(ctx, u, remember, false)
+		if ctx.Written() {
+			return
+		}
+		ctx.Flash.Info(ctx.Tr("auth.twofa_scratch_used"))
+		ctx.Redirect(setting.AppSubURL + "/user/settings/security")
+		return
+	}
+
+	handleSignIn(ctx, u, remember)
+}
+
+// MustChangePassword renders the page to change a user's password
+func MustChangePassword(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
+	ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password"
+	ctx.Data["MustChangePassword"] = true
+	ctx.HTML(http.StatusOK, tplMustChangePassword)
+}
+
+// MustChangePasswordPost response for updating a user's password after his/her
+// account was created by an admin
+func MustChangePasswordPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.MustChangePasswordForm)
+	ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
+	ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/settings/change_password"
+	if ctx.HasError() {
+		ctx.HTML(http.StatusOK, tplMustChangePassword)
+		return
+	}
+	u := ctx.User
+	// Make sure only requests for users who are eligible to change their password via
+	// this method passes through
+	if !u.MustChangePassword {
+		ctx.ServerError("MustUpdatePassword", errors.New("cannot update password.. Please visit the settings page"))
+		return
+	}
+
+	if form.Password != form.Retype {
+		ctx.Data["Err_Password"] = true
+		ctx.RenderWithErr(ctx.Tr("form.password_not_match"), tplMustChangePassword, &form)
+		return
+	}
+
+	if len(form.Password) < setting.MinPasswordLength {
+		ctx.Data["Err_Password"] = true
+		ctx.RenderWithErr(ctx.Tr("auth.password_too_short", setting.MinPasswordLength), tplMustChangePassword, &form)
+		return
+	}
+
+	if !password.IsComplexEnough(form.Password) {
+		ctx.Data["Err_Password"] = true
+		ctx.RenderWithErr(password.BuildComplexityError(ctx), tplMustChangePassword, &form)
+		return
+	}
+	pwned, err := password.IsPwned(ctx, form.Password)
+	if pwned {
+		ctx.Data["Err_Password"] = true
+		errMsg := ctx.Tr("auth.password_pwned")
+		if err != nil {
+			log.Error(err.Error())
+			errMsg = ctx.Tr("auth.password_pwned_err")
+		}
+		ctx.RenderWithErr(errMsg, tplMustChangePassword, &form)
+		return
+	}
+
+	if err = u.SetPassword(form.Password); err != nil {
+		ctx.ServerError("UpdateUser", err)
+		return
+	}
+
+	u.MustChangePassword = false
+
+	if err := user_model.UpdateUserCols(db.DefaultContext, u, "must_change_password", "passwd", "passwd_hash_algo", "salt"); err != nil {
+		ctx.ServerError("UpdateUser", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("settings.change_password_success"))
+
+	log.Trace("User updated password: %s", u.Name)
+
+	if redirectTo := ctx.GetCookie("redirect_to"); len(redirectTo) > 0 && !utils.IsExternalURL(redirectTo) {
+		middleware.DeleteRedirectToCookie(ctx.Resp)
+		ctx.RedirectToFirst(redirectTo)
+		return
+	}
+
+	ctx.Redirect(setting.AppSubURL + "/")
+}
diff --git a/routers/web/auth/u2f.go b/routers/web/auth/u2f.go
new file mode 100644
index 0000000000..915671cd1e
--- /dev/null
+++ b/routers/web/auth/u2f.go
@@ -0,0 +1,136 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package auth
+
+import (
+	"errors"
+	"net/http"
+
+	"code.gitea.io/gitea/models/auth"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/services/externalaccount"
+
+	"github.com/tstranex/u2f"
+)
+
+var tplU2F base.TplName = "user/auth/u2f"
+
+// U2F shows the U2F login page
+func U2F(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("twofa")
+	ctx.Data["RequireU2F"] = true
+	// Check auto-login.
+	if checkAutoLogin(ctx) {
+		return
+	}
+
+	// Ensure user is in a 2FA session.
+	if ctx.Session.Get("twofaUid") == nil {
+		ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
+		return
+	}
+
+	// See whether TOTP is also available.
+	if ctx.Session.Get("totpEnrolled") != nil {
+		ctx.Data["TOTPEnrolled"] = true
+	}
+
+	ctx.HTML(http.StatusOK, tplU2F)
+}
+
+// U2FChallenge submits a sign challenge to the browser
+func U2FChallenge(ctx *context.Context) {
+	// Ensure user is in a U2F session.
+	idSess := ctx.Session.Get("twofaUid")
+	if idSess == nil {
+		ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
+		return
+	}
+	id := idSess.(int64)
+	regs, err := auth.GetU2FRegistrationsByUID(id)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+	if len(regs) == 0 {
+		ctx.ServerError("UserSignIn", errors.New("no device registered"))
+		return
+	}
+	challenge, err := u2f.NewChallenge(setting.U2F.AppID, setting.U2F.TrustedFacets)
+	if err != nil {
+		ctx.ServerError("u2f.NewChallenge", err)
+		return
+	}
+	if err := ctx.Session.Set("u2fChallenge", challenge); err != nil {
+		ctx.ServerError("UserSignIn: unable to set u2fChallenge in session", err)
+		return
+	}
+	if err := ctx.Session.Release(); err != nil {
+		ctx.ServerError("UserSignIn: unable to store session", err)
+	}
+
+	ctx.JSON(http.StatusOK, challenge.SignRequest(regs.ToRegistrations()))
+}
+
+// U2FSign authenticates the user by signResp
+func U2FSign(ctx *context.Context) {
+	signResp := web.GetForm(ctx).(*u2f.SignResponse)
+	challSess := ctx.Session.Get("u2fChallenge")
+	idSess := ctx.Session.Get("twofaUid")
+	if challSess == nil || idSess == nil {
+		ctx.ServerError("UserSignIn", errors.New("not in U2F session"))
+		return
+	}
+	challenge := challSess.(*u2f.Challenge)
+	id := idSess.(int64)
+	regs, err := auth.GetU2FRegistrationsByUID(id)
+	if err != nil {
+		ctx.ServerError("UserSignIn", err)
+		return
+	}
+	for _, reg := range regs {
+		r, err := reg.Parse()
+		if err != nil {
+			log.Error("parsing u2f registration: %v", err)
+			continue
+		}
+		newCounter, authErr := r.Authenticate(*signResp, *challenge, reg.Counter)
+		if authErr == nil {
+			reg.Counter = newCounter
+			user, err := user_model.GetUserByID(id)
+			if err != nil {
+				ctx.ServerError("UserSignIn", err)
+				return
+			}
+			remember := ctx.Session.Get("twofaRemember").(bool)
+			if err := reg.UpdateCounter(); err != nil {
+				ctx.ServerError("UserSignIn", err)
+				return
+			}
+
+			if ctx.Session.Get("linkAccount") != nil {
+				if err := externalaccount.LinkAccountFromStore(ctx.Session, user); err != nil {
+					ctx.ServerError("UserSignIn", err)
+					return
+				}
+			}
+			redirect := handleSignInFull(ctx, user, remember, false)
+			if ctx.Written() {
+				return
+			}
+			if redirect == "" {
+				redirect = setting.AppSubURL + "/"
+			}
+			ctx.PlainText(http.StatusOK, redirect)
+			return
+		}
+	}
+	ctx.Error(http.StatusUnauthorized)
+}