Parse OAuth Authorization header when request omits client secret #21351
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hickford
force-pushed
the
oauth-ease
branch
2 times, most recently
from
0f44d2e
to
e624e1a
Compare
|
@wxiaoguang This suffices for git-ecosystem/git-credential-manager#879 |
GiteaBot
added
the
lgtm/need 2
|
It also looks good to me. Could there be some details about how this PR fixes the problem? Then the details can be put in the commit message and maintainers in the future can also understand it. And a small question about the ErrorDescription, will they be used by clients or should they be kept stable (never-changed)? |
wxiaoguang
approved these changes
Oct 6, 2022
GiteaBot
added
lgtm/need 1
wxiaoguang
reviewed
Oct 6, 2022
…ient includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1 > Clients in possession of a client password MAY use the HTTP Basic authentication scheme ... Alternatively, the authorization server MAY support including the client credentials in the request-body Sanity validation that client id and client secret in request are consistent with Authorization header. Improve error descriptions. Error codes remain the same.
|
Added details to commit message and PR description. The prescribed error codes remain the same. I change the human-readable description to "provide additional information" https://www.rfc-editor.org/rfc/rfc6749#section-5.2 |
This comment was marked as off-topic.
This comment was marked as off-topic.
delvh
approved these changes
Oct 6, 2022
GiteaBot
added
lgtm/done
KN4CK3R
approved these changes
Oct 6, 2022
wxiaoguang
approved these changes
Oct 7, 2022
|
I think it's worth to be backported to 1.17, how do you think? |
|
@wxiaoguang Good idea. What's the process to backport? |
|
Check out the 1.17 branch, create a backport branch on it And here is some document: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md#backports-and-frontports |
|
Thanks. I think it would also be necessary to backport #21293 . |
hickford
added a commit
to hickford/gitea
that referenced
this pull request
Oct 7, 2022
…-gitea#21351) This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both. Sanity validation that client id and client secret in request are consistent with Authorization header. Improve error descriptions. Error codes remain the same. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Oct 8, 2022
* upstream/main: (34 commits) Fix formatted link for PR review notifications to matrix (go-gitea#21319) Show private data in feeds (go-gitea#21369) Add nicer error handling on template compile errors (go-gitea#21350) Fix some typos and update db transaction demo in backend guideline (go-gitea#21322) Refactor parseTreeEntries, speed up tree list (go-gitea#21368) Add GET and DELETE endpoints for Docker blob uploads (go-gitea#21367) Make external issue tracker regexp configurable via API (go-gitea#21338) Add new CSS variables --color-accent and --color-small-accent (go-gitea#21305) Set SemverCompatible to false for Conan packages (go-gitea#21275) Parse OAuth Authorization header when request omits client secret (go-gitea#21351) Disable Firefox E2E tests (go-gitea#21363) Add redirect of /upgrade/ to /upgrade-from-gitea/ on docs site (go-gitea#21330) Update to go-enry v2.8.3 (go-gitea#21360) Update go to 1.19 (go-gitea#21361) SessionUser protection against nil pointer dereference (go-gitea#21358) Fix and improve incorrect error messages (go-gitea#21342) Fix default theme-auto selector when nologin (go-gitea#21346) Add `stat` to `ToCommit` function for speed (go-gitea#21337) Fix typo in API comment document (go-gitea#21347) Update comment about repository.DISABLED_REPO_UNITS in app.example.ini (go-gitea#21343) ...
wxiaoguang
added a commit
that referenced
this pull request
Oct 8, 2022
…1351) (#21374) Backport #21351 This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1 Clients in possession of a client password MAY use the HTTP Basic authentication scheme ... Alternatively, the authorization server MAY support including the client credentials in the request-body Sanity validation that client id and client secret in request are consistent with Authorization header. Improve error descriptions. Error codes remain the same. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
tyroneyeh
added a commit
to tyroneyeh/gitea
that referenced
this pull request
Oct 24, 2022
…-gitea#21351) (go-gitea#21374) Backport go-gitea#21351 This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1 Clients in possession of a client password MAY use the HTTP Basic authentication scheme ... Alternatively, the authorization server MAY support including the client credentials in the request-body Sanity validation that client id and client secret in request are consistent with Authorization header. Improve error descriptions. Error codes remain the same. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1
Sanity validation that client id and client secret in request are consistent with Authorization header.
Improve error descriptions. Error codes remain the same.
I believe further improvements to OAuth remain necessary, in particular explicit client type #21299.