9 files changed, 857 insertions, 208 deletions
diff --git a/modules/auth/auth.go b/modules/auth/auth.go
index 1ba149f0f8..16ea9f15e3 100644
--- a/modules/auth/auth.go
+++ b/modules/auth/auth.go
@@ -8,19 +8,14 @@ package auth
 import (
 	"reflect"
 	"strings"
-	"time"
 
 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/base"
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/auth/sso"
 	"code.gitea.io/gitea/modules/validation"
 
 	"gitea.com/macaron/binding"
 	"gitea.com/macaron/macaron"
 	"gitea.com/macaron/session"
-	gouuid "github.com/satori/go.uuid"
 	"github.com/unknwon/com"
 )
 
@@ -29,92 +24,6 @@ func IsAPIPath(url string) bool {
 	return strings.HasPrefix(url, "/api/")
 }
 
-// IsAttachmentDownload check if request is a file download (GET) with URL to an attachment
-func IsAttachmentDownload(ctx *macaron.Context) bool {
-	return strings.HasPrefix(ctx.Req.URL.Path, "/attachments/") && ctx.Req.Method == "GET"
-}
-
-// SignedInID returns the id of signed in user.
-func SignedInID(ctx *macaron.Context, sess session.Store) int64 {
-	if !models.HasEngine {
-		return 0
-	}
-
-	// Check access token.
-	if IsAPIPath(ctx.Req.URL.Path) || IsAttachmentDownload(ctx) {
-		tokenSHA := ctx.Query("token")
-		if len(tokenSHA) == 0 {
-			tokenSHA = ctx.Query("access_token")
-		}
-		if len(tokenSHA) == 0 {
-			// Well, check with header again.
-			auHead := ctx.Req.Header.Get("Authorization")
-			if len(auHead) > 0 {
-				auths := strings.Fields(auHead)
-				if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
-					tokenSHA = auths[1]
-				}
-			}
-		}
-
-		// Let's see if token is valid.
-		if len(tokenSHA) > 0 {
-			if strings.Contains(tokenSHA, ".") {
-				uid := CheckOAuthAccessToken(tokenSHA)
-				if uid != 0 {
-					ctx.Data["IsApiToken"] = true
-				}
-				return uid
-			}
-			t, err := models.GetAccessTokenBySHA(tokenSHA)
-			if err != nil {
-				if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) {
-					log.Error("GetAccessTokenBySHA: %v", err)
-				}
-				return 0
-			}
-			t.UpdatedUnix = timeutil.TimeStampNow()
-			if err = models.UpdateAccessToken(t); err != nil {
-				log.Error("UpdateAccessToken: %v", err)
-			}
-			ctx.Data["IsApiToken"] = true
-			return t.UID
-		}
-	}
-
-	uid := sess.Get("uid")
-	if uid == nil {
-		return 0
-	} else if id, ok := uid.(int64); ok {
-		return id
-	}
-	return 0
-}
-
-// CheckOAuthAccessToken returns uid of user from oauth token token
-func CheckOAuthAccessToken(accessToken string) int64 {
-	// JWT tokens require a "."
-	if !strings.Contains(accessToken, ".") {
-		return 0
-	}
-	token, err := models.ParseOAuth2Token(accessToken)
-	if err != nil {
-		log.Trace("ParseOAuth2Token: %v", err)
-		return 0
-	}
-	var grant *models.OAuth2Grant
-	if grant, err = models.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil {
-		return 0
-	}
-	if token.Type != models.TypeAccessToken {
-		return 0
-	}
-	if token.ExpiresAt < time.Now().Unix() || token.IssuedAt > time.Now().Unix() {
-		return 0
-	}
-	return grant.UserID
-}
-
 // SignedInUser returns the user object of signed user.
 // It returns a bool value to indicate whether user uses basic auth or not.
 func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool) {
@@ -122,125 +31,18 @@ func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool)
 		return nil, false
 	}
 
-	if uid := SignedInID(ctx, sess); uid > 0 {
-		user, err := models.GetUserByID(uid)
-		if err == nil {
-			return user, false
-		} else if !models.IsErrUserNotExist(err) {
-			log.Error("GetUserById: %v", err)
+	// Try to sign in with each of the enabled plugins
+	for _, ssoMethod := range sso.Methods() {
+		if !ssoMethod.IsEnabled() {
+			continue
 		}
-	}
-
-	if setting.Service.EnableReverseProxyAuth {
-		webAuthUser := ctx.Req.Header.Get(setting.ReverseProxyAuthUser)
-		if len(webAuthUser) > 0 {
-			u, err := models.GetUserByName(webAuthUser)
-			if err != nil {
-				if !models.IsErrUserNotExist(err) {
-					log.Error("GetUserByName: %v", err)
-					return nil, false
-				}
-
-				// Check if enabled auto-registration.
-				if setting.Service.EnableReverseProxyAutoRegister {
-					email := gouuid.NewV4().String() + "@localhost"
-					if setting.Service.EnableReverseProxyEmail {
-						webAuthEmail := ctx.Req.Header.Get(setting.ReverseProxyAuthEmail)
-						if len(webAuthEmail) > 0 {
-							email = webAuthEmail
-						}
-					}
-					u := &models.User{
-						Name:     webAuthUser,
-						Email:    email,
-						Passwd:   webAuthUser,
-						IsActive: true,
-					}
-					if err = models.CreateUser(u); err != nil {
-						// FIXME: should I create a system notice?
-						log.Error("CreateUser: %v", err)
-						return nil, false
-					}
-					return u, false
-				}
-			}
-			return u, false
+		user := ssoMethod.VerifyAuthData(ctx, sess)
+		if user != nil {
+			_, isBasic := ssoMethod.(*sso.Basic)
+			return user, isBasic
 		}
 	}
 
-	// Check with basic auth.
-	baHead := ctx.Req.Header.Get("Authorization")
-	if len(baHead) > 0 {
-		auths := strings.Fields(baHead)
-		if len(auths) == 2 && auths[0] == "Basic" {
-			var u *models.User
-
-			uname, passwd, _ := base.BasicAuthDecode(auths[1])
-
-			// Check if username or password is a token
-			isUsernameToken := len(passwd) == 0 || passwd == "x-oauth-basic"
-			// Assume username is token
-			authToken := uname
-			if !isUsernameToken {
-				// Assume password is token
-				authToken = passwd
-			}
-
-			uid := CheckOAuthAccessToken(authToken)
-			if uid != 0 {
-				var err error
-				ctx.Data["IsApiToken"] = true
-
-				u, err = models.GetUserByID(uid)
-				if err != nil {
-					log.Error("GetUserByID:  %v", err)
-					return nil, false
-				}
-			}
-			token, err := models.GetAccessTokenBySHA(authToken)
-			if err == nil {
-				if isUsernameToken {
-					u, err = models.GetUserByID(token.UID)
-					if err != nil {
-						log.Error("GetUserByID:  %v", err)
-						return nil, false
-					}
-				} else {
-					u, err = models.GetUserByName(uname)
-					if err != nil {
-						log.Error("GetUserByID:  %v", err)
-						return nil, false
-					}
-					if u.ID != token.UID {
-						return nil, false
-					}
-				}
-				token.UpdatedUnix = timeutil.TimeStampNow()
-				if err = models.UpdateAccessToken(token); err != nil {
-					log.Error("UpdateAccessToken:  %v", err)
-				}
-			} else if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
-				log.Error("GetAccessTokenBySha: %v", err)
-			}
-
-			if u == nil {
-				if !setting.Service.EnableBasicAuth {
-					return nil, false
-				}
-				u, err = models.UserSignIn(uname, passwd)
-				if err != nil {
-					if !models.IsErrUserNotExist(err) {
-						log.Error("UserSignIn: %v", err)
-					}
-					return nil, false
-				}
-			} else {
-				ctx.Data["IsApiToken"] = true
-			}
-
-			return u, true
-		}
-	}
 	return nil, false
 }
 
diff --git a/modules/auth/auth_form.go b/modules/auth/auth_form.go
index 358472a385..c838590c1f 100644
--- a/modules/auth/auth_form.go
+++ b/modules/auth/auth_form.go
@@ -12,7 +12,7 @@ import (
 // AuthenticationForm form for authentication
 type AuthenticationForm struct {
 	ID                            int64
-	Type                          int    `binding:"Range(2,6)"`
+	Type                          int    `binding:"Range(2,7)"`
 	Name                          string `binding:"Required;MaxSize(30)"`
 	Host                          string
 	Port                          int
@@ -49,6 +49,11 @@ type AuthenticationForm struct {
 	Oauth2AuthURL                 string
 	Oauth2ProfileURL              string
 	Oauth2EmailURL                string
+	SSPIAutoCreateUsers           bool
+	SSPIAutoActivateUsers         bool
+	SSPIStripDomainNames          bool
+	SSPISeparatorReplacement      string `binding:"AlphaDashDot;MaxSize(5)"`
+	SSPIDefaultLanguage           string
 }
 
 // Validate validates fields
diff --git a/modules/auth/sso/basic.go b/modules/auth/sso/basic.go
new file mode 100644
index 0000000000..7f1841df71
--- /dev/null
+++ b/modules/auth/sso/basic.go
@@ -0,0 +1,125 @@
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package sso
+
+import (
+	"strings"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"gitea.com/macaron/macaron"
+	"gitea.com/macaron/session"
+)
+
+// Ensure the struct implements the interface.
+var (
+	_ SingleSignOn = &Basic{}
+)
+
+// Basic implements the SingleSignOn interface and authenticates requests (API requests
+// only) by looking for Basic authentication data or "x-oauth-basic" token in the "Authorization"
+// header.
+type Basic struct {
+}
+
+// Init does nothing as the Basic implementation does not need to allocate any resources
+func (b *Basic) Init() error {
+	return nil
+}
+
+// Free does nothing as the Basic implementation does not have to release any resources
+func (b *Basic) Free() error {
+	return nil
+}
+
+// IsEnabled returns true as this plugin is enabled by default and its not possible to disable
+// it from settings.
+func (b *Basic) IsEnabled() bool {
+	return setting.Service.EnableBasicAuth
+}
+
+// VerifyAuthData extracts and validates Basic data (username and password/token) from the
+// "Authorization" header of the request and returns the corresponding user object for that
+// name/token on successful validation.
+// Returns nil if header is empty or validation fails.
+func (b *Basic) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User {
+	baHead := ctx.Req.Header.Get("Authorization")
+	if len(baHead) == 0 {
+		return nil
+	}
+
+	auths := strings.Fields(baHead)
+	if len(auths) != 2 || auths[0] != "Basic" {
+		return nil
+	}
+
+	var u *models.User
+	uname, passwd, _ := base.BasicAuthDecode(auths[1])
+
+	// Check if username or password is a token
+	isUsernameToken := len(passwd) == 0 || passwd == "x-oauth-basic"
+	// Assume username is token
+	authToken := uname
+	if !isUsernameToken {
+		// Assume password is token
+		authToken = passwd
+	}
+
+	uid := CheckOAuthAccessToken(authToken)
+	if uid != 0 {
+		var err error
+		ctx.Data["IsApiToken"] = true
+
+		u, err = models.GetUserByID(uid)
+		if err != nil {
+			log.Error("GetUserByID:  %v", err)
+			return nil
+		}
+	}
+	token, err := models.GetAccessTokenBySHA(authToken)
+	if err == nil {
+		if isUsernameToken {
+			u, err = models.GetUserByID(token.UID)
+			if err != nil {
+				log.Error("GetUserByID:  %v", err)
+				return nil
+			}
+		} else {
+			u, err = models.GetUserByName(uname)
+			if err != nil {
+				log.Error("GetUserByID:  %v", err)
+				return nil
+			}
+			if u.ID != token.UID {
+				return nil
+			}
+		}
+		token.UpdatedUnix = timeutil.TimeStampNow()
+		if err = models.UpdateAccessToken(token); err != nil {
+			log.Error("UpdateAccessToken:  %v", err)
+		}
+	} else if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
+		log.Error("GetAccessTokenBySha: %v", err)
+	}
+
+	if u == nil {
+		u, err = models.UserSignIn(uname, passwd)
+		if err != nil {
+			if !models.IsErrUserNotExist(err) {
+				log.Error("UserSignIn: %v", err)
+			}
+			return nil
+		}
+	} else {
+		ctx.Data["IsApiToken"] = true
+	}
+
+	return u
+}
diff --git a/modules/auth/sso/interface.go b/modules/auth/sso/interface.go
new file mode 100644
index 0000000000..89cc227e79
--- /dev/null
+++ b/modules/auth/sso/interface.go
@@ -0,0 +1,33 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package sso
+
+import (
+	"code.gitea.io/gitea/models"
+
+	"gitea.com/macaron/macaron"
+	"gitea.com/macaron/session"
+)
+
+// SingleSignOn represents a SSO authentication method (plugin) for HTTP requests.
+type SingleSignOn interface {
+	// Init should be called exactly once before using any of the other methods,
+	// in order to allow the plugin to allocate necessary resources
+	Init() error
+
+	// Free should be called exactly once before application closes, in order to
+	// give chance to the plugin to free any allocated resources
+	Free() error
+
+	// IsEnabled checks if the current SSO method has been enabled in settings.
+	IsEnabled() bool
+
+	// VerifyAuthData tries to verify the SSO authentication data contained in the request.
+	// If verification is successful returns either an existing user object (with id > 0)
+	// or a new user object (with id = 0) populated with the information that was found
+	// in the authentication data (username or email).
+	// Returns nil if verification fails.
+	VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User
+}
diff --git a/modules/auth/sso/oauth2.go b/modules/auth/sso/oauth2.go
new file mode 100644
index 0000000000..e677490b80
--- /dev/null
+++ b/modules/auth/sso/oauth2.go
@@ -0,0 +1,142 @@
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package sso
+
+import (
+	"strings"
+	"time"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/timeutil"
+
+	"gitea.com/macaron/macaron"
+	"gitea.com/macaron/session"
+)
+
+// Ensure the struct implements the interface.
+var (
+	_ SingleSignOn = &OAuth2{}
+)
+
+// CheckOAuthAccessToken returns uid of user from oauth token
+func CheckOAuthAccessToken(accessToken string) int64 {
+	// JWT tokens require a "."
+	if !strings.Contains(accessToken, ".") {
+		return 0
+	}
+	token, err := models.ParseOAuth2Token(accessToken)
+	if err != nil {
+		log.Trace("ParseOAuth2Token: %v", err)
+		return 0
+	}
+	var grant *models.OAuth2Grant
+	if grant, err = models.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil {
+		return 0
+	}
+	if token.Type != models.TypeAccessToken {
+		return 0
+	}
+	if token.ExpiresAt < time.Now().Unix() || token.IssuedAt > time.Now().Unix() {
+		return 0
+	}
+	return grant.UserID
+}
+
+// OAuth2 implements the SingleSignOn interface and authenticates requests
+// (API requests only) by looking for an OAuth token in query parameters or the
+// "Authorization" header.
+type OAuth2 struct {
+}
+
+// Init does nothing as the OAuth2 implementation does not need to allocate any resources
+func (o *OAuth2) Init() error {
+	return nil
+}
+
+// Free does nothing as the OAuth2 implementation does not have to release any resources
+func (o *OAuth2) Free() error {
+	return nil
+}
+
+// userIDFromToken returns the user id corresponding to the OAuth token.
+func (o *OAuth2) userIDFromToken(ctx *macaron.Context) int64 {
+	// Check access token.
+	tokenSHA := ctx.Query("token")
+	if len(tokenSHA) == 0 {
+		tokenSHA = ctx.Query("access_token")
+	}
+	if len(tokenSHA) == 0 {
+		// Well, check with header again.
+		auHead := ctx.Req.Header.Get("Authorization")
+		if len(auHead) > 0 {
+			auths := strings.Fields(auHead)
+			if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
+				tokenSHA = auths[1]
+			}
+		}
+	}
+	if len(tokenSHA) == 0 {
+		return 0
+	}
+
+	// Let's see if token is valid.
+	if strings.Contains(tokenSHA, ".") {
+		uid := CheckOAuthAccessToken(tokenSHA)
+		if uid != 0 {
+			ctx.Data["IsApiToken"] = true
+		}
+		return uid
+	}
+	t, err := models.GetAccessTokenBySHA(tokenSHA)
+	if err != nil {
+		if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) {
+			log.Error("GetAccessTokenBySHA: %v", err)
+		}
+		return 0
+	}
+	t.UpdatedUnix = timeutil.TimeStampNow()
+	if err = models.UpdateAccessToken(t); err != nil {
+		log.Error("UpdateAccessToken: %v", err)
+	}
+	ctx.Data["IsApiToken"] = true
+	return t.UID
+}
+
+// IsEnabled returns true as this plugin is enabled by default and its not possible
+// to disable it from settings.
+func (o *OAuth2) IsEnabled() bool {
+	return true
+}
+
+// VerifyAuthData extracts the user ID from the OAuth token in the query parameters
+// or the "Authorization" header and returns the corresponding user object for that ID.
+// If verification is successful returns an existing user object.
+// Returns nil if verification fails.
+func (o *OAuth2) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User {
+	if !models.HasEngine {
+		return nil
+	}
+
+	if !isAPIPath(ctx) && !isAttachmentDownload(ctx) {
+		return nil
+	}
+
+	id := o.userIDFromToken(ctx)
+	if id <= 0 {
+		return nil
+	}
+
+	user, err := models.GetUserByID(id)
+	if err != nil {
+		if !models.IsErrUserNotExist(err) {
+			log.Error("GetUserByName: %v", err)
+		}
+		return nil
+	}
+
+	return user
+}
diff --git a/modules/auth/sso/reverseproxy.go b/modules/auth/sso/reverseproxy.go
new file mode 100644
index 0000000000..feb5364518
--- /dev/null
+++ b/modules/auth/sso/reverseproxy.go
@@ -0,0 +1,115 @@
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package sso
+
+import (
+	"strings"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+
+	"gitea.com/macaron/macaron"
+	"gitea.com/macaron/session"
+	gouuid "github.com/satori/go.uuid"
+)
+
+// Ensure the struct implements the interface.
+var (
+	_ SingleSignOn = &ReverseProxy{}
+)
+
+// ReverseProxy implements the SingleSignOn interface, but actually relies on
+// a reverse proxy for authentication of users.
+// On successful authentication the proxy is expected to populate the username in the
+// "setting.ReverseProxyAuthUser" header. Optionally it can also populate the email of the
+// user in the "setting.ReverseProxyAuthEmail" header.
+type ReverseProxy struct {
+}
+
+// getUserName extracts the username from the "setting.ReverseProxyAuthUser" header
+func (r *ReverseProxy) getUserName(ctx *macaron.Context) string {
+	webAuthUser := strings.TrimSpace(ctx.Req.Header.Get(setting.ReverseProxyAuthUser))
+	if len(webAuthUser) == 0 {
+		return ""
+	}
+	return webAuthUser
+}
+
+// Init does nothing as the ReverseProxy implementation does not need initialization
+func (r *ReverseProxy) Init() error {
+	return nil
+}
+
+// Free does nothing as the ReverseProxy implementation does not have to release resources
+func (r *ReverseProxy) Free() error {
+	return nil
+}
+
+// IsEnabled checks if EnableReverseProxyAuth setting is true
+func (r *ReverseProxy) IsEnabled() bool {
+	return setting.Service.EnableReverseProxyAuth
+}
+
+// VerifyAuthData extracts the username from the "setting.ReverseProxyAuthUser" header
+// of the request and returns the corresponding user object for that name.
+// Verification of header data is not performed as it should have already been done by
+// the revese proxy.
+// If a username is available in the "setting.ReverseProxyAuthUser" header an existing
+// user object is returned (populated with username or email found in header).
+// Returns nil if header is empty.
+func (r *ReverseProxy) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User {
+	username := r.getUserName(ctx)
+	if len(username) == 0 {
+		return nil
+	}
+
+	user, err := models.GetUserByName(username)
+	if err != nil {
+		if models.IsErrUserNotExist(err) && r.isAutoRegisterAllowed() {
+			return r.newUser(ctx)
+		}
+		log.Error("GetUserByName: %v", err)
+		return nil
+	}
+
+	return user
+}
+
+// isAutoRegisterAllowed checks if EnableReverseProxyAutoRegister setting is true
+func (r *ReverseProxy) isAutoRegisterAllowed() bool {
+	return setting.Service.EnableReverseProxyAutoRegister
+}
+
+// newUser creates a new user object for the purpose of automatic registration
+// and populates its name and email with the information present in request headers.
+func (r *ReverseProxy) newUser(ctx *macaron.Context) *models.User {
+	username := r.getUserName(ctx)
+	if len(username) == 0 {
+		return nil
+	}
+
+	email := gouuid.NewV4().String() + "@localhost"
+	if setting.Service.EnableReverseProxyEmail {
+		webAuthEmail := ctx.Req.Header.Get(setting.ReverseProxyAuthEmail)
+		if len(webAuthEmail) > 0 {
+			email = webAuthEmail
+		}
+	}
+
+	user := &models.User{
+		Name:     username,
+		Email:    email,
+		Passwd:   username,
+		IsActive: true,
+	}
+	if err := models.CreateUser(user); err != nil {
+		// FIXME: should I create a system notice?
+		log.Error("CreateUser: %v", err)
+		return nil
+	}
+	return user
+}
diff --git a/modules/auth/sso/session.go b/modules/auth/sso/session.go
new file mode 100644
index 0000000000..c9176b9c31
--- /dev/null
+++ b/modules/auth/sso/session.go
@@ -0,0 +1,49 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package sso
+
+import (
+	"code.gitea.io/gitea/models"
+
+	"gitea.com/macaron/macaron"
+	"gitea.com/macaron/session"
+)
+
+// Ensure the struct implements the interface.
+var (
+	_ SingleSignOn = &Session{}
+)
+
+// Session checks if there is a user uid stored in the session and returns the user
+// object for that uid.
+type Session struct {
+}
+
+// Init does nothing as the Session implementation does not need to allocate any resources
+func (s *Session) Init() error {
+	return nil
+}
+
+// Free does nothing as the Session implementation does not have to release any resources
+func (s *Session) Free() error {
+	return nil
+}
+
+// IsEnabled returns true as this plugin is enabled by default and its not possible to disable
+// it from settings.
+func (s *Session) IsEnabled() bool {
+	return true
+}
+
+// VerifyAuthData checks if there is a user uid stored in the session and returns the user
+// object for that uid.
+// Returns nil if there is no user uid stored in the session.
+func (s *Session) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User {
+	user := SessionUser(sess)
+	if user != nil {
+		return user
+	}
+	return nil
+}
diff --git a/modules/auth/sso/sso.go b/modules/auth/sso/sso.go
new file mode 100644
index 0000000000..cf8148d89b
--- /dev/null
+++ b/modules/auth/sso/sso.go
@@ -0,0 +1,141 @@
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package sso
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+
+	"gitea.com/macaron/macaron"
+	"gitea.com/macaron/session"
+)
+
+// ssoMethods contains the list of SSO authentication plugins in the order they are expected to be
+// executed.
+//
+// The OAuth2 plugin is expected to be executed first, as it must ignore the user id stored
+// in the session (if there is a user id stored in session other plugins might return the user
+// object for that id).
+//
+// The Session plugin is expected to be executed second, in order to skip authentication
+// for users that have already signed in.
+var ssoMethods = []SingleSignOn{
+	&OAuth2{},
+	&Session{},
+	&ReverseProxy{},
+	&Basic{},
+}
+
+// The purpose of the following three function variables is to let the linter know that
+// those functions are not dead code and are actually being used
+var (
+	_ = handleSignIn
+)
+
+// Methods returns the instances of all registered SSO methods
+func Methods() []SingleSignOn {
+	return ssoMethods
+}
+
+// Register adds the specified instance to the list of available SSO methods
+func Register(method SingleSignOn) {
+	ssoMethods = append(ssoMethods, method)
+}
+
+// Init should be called exactly once when the application starts to allow SSO plugins
+// to allocate necessary resources
+func Init() {
+	for _, method := range Methods() {
+		err := method.Init()
+		if err != nil {
+			log.Error("Could not initialize '%s' SSO method, error: %s", reflect.TypeOf(method).String(), err)
+		}
+	}
+}
+
+// Free should be called exactly once when the application is terminating to allow SSO plugins
+// to release necessary resources
+func Free() {
+	for _, method := range Methods() {
+		err := method.Free()
+		if err != nil {
+			log.Error("Could not free '%s' SSO method, error: %s", reflect.TypeOf(method).String(), err)
+		}
+	}
+}
+
+// SessionUser returns the user object corresponding to the "uid" session variable.
+func SessionUser(sess session.Store) *models.User {
+	// Get user ID
+	uid := sess.Get("uid")
+	if uid == nil {
+		return nil
+	}
+	id, ok := uid.(int64)
+	if !ok {
+		return nil
+	}
+
+	// Get user object
+	user, err := models.GetUserByID(id)
+	if err != nil {
+		if !models.IsErrUserNotExist(err) {
+			log.Error("GetUserById: %v", err)
+		}
+		return nil
+	}
+	return user
+}
+
+// isAPIPath returns true if the specified URL is an API path
+func isAPIPath(ctx *macaron.Context) bool {
+	return strings.HasPrefix(ctx.Req.URL.Path, "/api/")
+}
+
+// isAttachmentDownload check if request is a file download (GET) with URL to an attachment
+func isAttachmentDownload(ctx *macaron.Context) bool {
+	return strings.HasPrefix(ctx.Req.URL.Path, "/attachments/") && ctx.Req.Method == "GET"
+}
+
+// handleSignIn clears existing session variables and stores new ones for the specified user object
+func handleSignIn(ctx *macaron.Context, sess session.Store, user *models.User) {
+	_ = sess.Delete("openid_verified_uri")
+	_ = sess.Delete("openid_signin_remember")
+	_ = sess.Delete("openid_determined_email")
+	_ = sess.Delete("openid_determined_username")
+	_ = sess.Delete("twofaUid")
+	_ = sess.Delete("twofaRemember")
+	_ = sess.Delete("u2fChallenge")
+	_ = sess.Delete("linkAccount")
+	err := sess.Set("uid", user.ID)
+	if err != nil {
+		log.Error(fmt.Sprintf("Error setting session: %v", err))
+	}
+	err = sess.Set("uname", user.Name)
+	if err != nil {
+		log.Error(fmt.Sprintf("Error setting session: %v", err))
+	}
+
+	// Language setting of the user overwrites the one previously set
+	// If the user does not have a locale set, we save the current one.
+	if len(user.Language) == 0 {
+		user.Language = ctx.Locale.Language()
+		if err := models.UpdateUserCols(user, "language"); err != nil {
+			log.Error(fmt.Sprintf("Error updating user language [user: %d, locale: %s]", user.ID, user.Language))
+			return
+		}
+	}
+
+	ctx.SetCookie("lang", user.Language, nil, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+
+	// Clear whatever CSRF has right now, force to generate a new one
+	ctx.SetCookie(setting.CSRFCookieName, "", -1, setting.AppSubURL, setting.SessionConfig.Domain, setting.SessionConfig.Secure, true)
+}
diff --git a/modules/auth/sso/sspi_windows.go b/modules/auth/sso/sspi_windows.go
new file mode 100644
index 0000000000..3153fc63cd
--- /dev/null
+++ b/modules/auth/sso/sspi_windows.go
@@ -0,0 +1,237 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package sso
+
+import (
+	"errors"
+	"reflect"
+	"strings"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+
+	"gitea.com/macaron/macaron"
+	"gitea.com/macaron/session"
+
+	"github.com/quasoft/websspi"
+	gouuid "github.com/satori/go.uuid"
+)
+
+const (
+	tplSignIn base.TplName = "user/auth/signin"
+)
+
+var (
+	// sspiAuth is a global instance of the websspi authentication package,
+	// which is used to avoid acquiring the server credential handle on
+	// every request
+	sspiAuth *websspi.Authenticator
+
+	// Ensure the struct implements the interface.
+	_ SingleSignOn = &SSPI{}
+)
+
+// SSPI implements the SingleSignOn interface and authenticates requests
+// via the built-in SSPI module in Windows for SPNEGO authentication.
+// On successful authentication returns a valid user object.
+// Returns nil if authentication fails.
+type SSPI struct {
+}
+
+// Init creates a new global websspi.Authenticator object
+func (s *SSPI) Init() error {
+	config := websspi.NewConfig()
+	var err error
+	sspiAuth, err = websspi.New(config)
+	return err
+}
+
+// Free releases resources used by the global websspi.Authenticator object
+func (s *SSPI) Free() error {
+	return sspiAuth.Free()
+}
+
+// IsEnabled checks if there is an active SSPI authentication source
+func (s *SSPI) IsEnabled() bool {
+	return models.IsSSPIEnabled()
+}
+
+// VerifyAuthData uses SSPI (Windows implementation of SPNEGO) to authenticate the request.
+// If authentication is successful, returs the corresponding user object.
+// If negotiation should continue or authentication fails, immediately returns a 401 HTTP
+// response code, as required by the SPNEGO protocol.
+func (s *SSPI) VerifyAuthData(ctx *macaron.Context, sess session.Store) *models.User {
+	if !s.shouldAuthenticate(ctx) {
+		return nil
+	}
+
+	cfg, err := s.getConfig()
+	if err != nil {
+		log.Error("could not get SSPI config: %v", err)
+		return nil
+	}
+
+	userInfo, outToken, err := sspiAuth.Authenticate(ctx.Req.Request, ctx.Resp)
+	if err != nil {
+		log.Warn("Authentication failed with error: %v\n", err)
+		sspiAuth.AppendAuthenticateHeader(ctx.Resp, outToken)
+
+		// Include the user login page in the 401 response to allow the user
+		// to login with another authentication method if SSPI authentication
+		// fails
+		addFlashErr(ctx, ctx.Tr("auth.sspi_auth_failed"))
+		ctx.Data["EnableOpenIDSignIn"] = setting.Service.EnableOpenIDSignIn
+		ctx.Data["EnableSSPI"] = true
+		ctx.HTML(401, string(tplSignIn))
+		return nil
+	}
+	if outToken != "" {
+		sspiAuth.AppendAuthenticateHeader(ctx.Resp, outToken)
+	}
+
+	username := sanitizeUsername(userInfo.Username, cfg)
+	if len(username) == 0 {
+		return nil
+	}
+	log.Info("Authenticated as %s\n", username)
+
+	user, err := models.GetUserByName(username)
+	if err != nil {
+		if !models.IsErrUserNotExist(err) {
+			log.Error("GetUserByName: %v", err)
+			return nil
+		}
+		if !cfg.AutoCreateUsers {
+			log.Error("User '%s' not found", username)
+			return nil
+		}
+		user, err = s.newUser(ctx, username, cfg)
+		if err != nil {
+			log.Error("CreateUser: %v", err)
+			return nil
+		}
+	}
+
+	// Make sure requests to API paths and PWA resources do not create a new session
+	if !isAPIPath(ctx) && !isAttachmentDownload(ctx) {
+		handleSignIn(ctx, sess, user)
+	}
+
+	return user
+}
+
+// getConfig retrieves the SSPI configuration from login sources
+func (s *SSPI) getConfig() (*models.SSPIConfig, error) {
+	sources, err := models.ActiveLoginSources(models.LoginSSPI)
+	if err != nil {
+		return nil, err
+	}
+	if len(sources) == 0 {
+		return nil, errors.New("no active login sources of type SSPI found")
+	}
+	if len(sources) > 1 {
+		return nil, errors.New("more than one active login source of type SSPI found")
+	}
+	return sources[0].SSPI(), nil
+}
+
+func (s *SSPI) shouldAuthenticate(ctx *macaron.Context) (shouldAuth bool) {
+	shouldAuth = false
+	path := strings.TrimSuffix(ctx.Req.URL.Path, "/")
+	if path == "/user/login" {
+		if ctx.Req.FormValue("user_name") != "" && ctx.Req.FormValue("password") != "" {
+			shouldAuth = false
+		} else if ctx.Req.FormValue("auth_with_sspi") == "1" {
+			shouldAuth = true
+		}
+	} else if isAPIPath(ctx) || isAttachmentDownload(ctx) {
+		shouldAuth = true
+	}
+	return
+}
+
+// newUser creates a new user object for the purpose of automatic registration
+// and populates its name and email with the information present in request headers.
+func (s *SSPI) newUser(ctx *macaron.Context, username string, cfg *models.SSPIConfig) (*models.User, error) {
+	email := gouuid.NewV4().String() + "@localhost.localdomain"
+	user := &models.User{
+		Name:                         username,
+		Email:                        email,
+		KeepEmailPrivate:             true,
+		Passwd:                       gouuid.NewV4().String(),
+		IsActive:                     cfg.AutoActivateUsers,
+		Language:                     cfg.DefaultLanguage,
+		UseCustomAvatar:              true,
+		Avatar:                       base.DefaultAvatarLink(),
+		EmailNotificationsPreference: models.EmailNotificationsDisabled,
+	}
+	if err := models.CreateUser(user); err != nil {
+		return nil, err
+	}
+	return user, nil
+}
+
+// stripDomainNames removes NETBIOS domain name and separator from down-level logon names
+// (eg. "DOMAIN\user" becomes "user"), and removes the UPN suffix (domain name) and separator
+// from UPNs (eg. "user@domain.local" becomes "user")
+func stripDomainNames(username string) string {
+	if strings.Contains(username, "\\") {
+		parts := strings.SplitN(username, "\\", 2)
+		if len(parts) > 1 {
+			username = parts[1]
+		}
+	} else if strings.Contains(username, "@") {
+		parts := strings.Split(username, "@")
+		if len(parts) > 1 {
+			username = parts[0]
+		}
+	}
+	return username
+}
+
+func replaceSeparators(username string, cfg *models.SSPIConfig) string {
+	newSep := cfg.SeparatorReplacement
+	username = strings.ReplaceAll(username, "\\", newSep)
+	username = strings.ReplaceAll(username, "/", newSep)
+	username = strings.ReplaceAll(username, "@", newSep)
+	return username
+}
+
+func sanitizeUsername(username string, cfg *models.SSPIConfig) string {
+	if len(username) == 0 {
+		return ""
+	}
+	if cfg.StripDomainNames {
+		username = stripDomainNames(username)
+	}
+	// Replace separators even if we have already stripped the domain name part,
+	// as the username can contain several separators: eg. "MICROSOFT\useremail@live.com"
+	username = replaceSeparators(username, cfg)
+	return username
+}
+
+// addFlashErr adds an error message to the Flash object mapped to a macaron.Context
+func addFlashErr(ctx *macaron.Context, err string) {
+	fv := ctx.GetVal(reflect.TypeOf(&session.Flash{}))
+	if !fv.IsValid() {
+		return
+	}
+	flash, ok := fv.Interface().(*session.Flash)
+	if !ok {
+		return
+	}
+	flash.Error(err)
+	ctx.Data["Flash"] = flash
+}
+
+// init registers the SSPI auth method as the last method in the list.
+// The SSPI plugin is expected to be executed last, as it returns 401 status code if negotiation
+// fails (or if negotiation should continue), which would prevent other authentication methods
+// to execute at all.
+func init() {
+	Register(&SSPI{})
+}