Parse OAuth Authorization header when request omits client secret (#21351) #21374

hickford · 2022-10-07T20:08:28Z

Backport #21351

This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1

Clients in possession of a client password MAY use the HTTP Basic authentication scheme ... Alternatively, the authorization server MAY support including the client credentials in the request-body

Sanity validation that client id and client secret in request are consistent with Authorization header.

Improve error descriptions. Error codes remain the same.

zeripath · 2022-10-07T21:04:17Z

Lint failures are related I'm afraid

…-gitea#21351) This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both. Sanity validation that client id and client secret in request are consistent with Authorization header. Improve error descriptions. Error codes remain the same. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: zeripath <art27@cantab.net>

hickford · 2022-10-08T03:40:29Z

Fixed

…-gitea#21351) (go-gitea#21374) Backport go-gitea#21351 This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1 Clients in possession of a client password MAY use the HTTP Basic authentication scheme ... Alternatively, the authorization server MAY support including the client credentials in the request-body Sanity validation that client id and client secret in request are consistent with Authorization header. Improve error descriptions. Error codes remain the same. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: zeripath <art27@cantab.net>

hickford marked this pull request as draft October 7, 2022 20:09

hickford force-pushed the artanrset branch from f41d0e2 to a9c8269 Compare October 7, 2022 20:12

hickford marked this pull request as ready for review October 7, 2022 20:12

GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Oct 7, 2022

hickford force-pushed the artanrset branch from a9c8269 to dca339e Compare October 7, 2022 21:23

hickford force-pushed the artanrset branch from dca339e to d4b627e Compare October 7, 2022 21:24

Merge branch 'release/v1.17' into artanrset

68b0f35

wxiaoguang approved these changes Oct 8, 2022

View reviewed changes

GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Oct 8, 2022

silverwind approved these changes Oct 8, 2022

View reviewed changes

GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Oct 8, 2022

wxiaoguang merged commit 14bc4d7 into go-gitea:release/v1.17 Oct 8, 2022

wxiaoguang added this to the 1.17.3 milestone Oct 8, 2022

go-gitea locked and limited conversation to collaborators May 3, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Parse OAuth Authorization header when request omits client secret (#21351) #21374

Parse OAuth Authorization header when request omits client secret (#21351) #21374

hickford commented Oct 7, 2022

zeripath commented Oct 7, 2022

hickford commented Oct 8, 2022

Parse OAuth Authorization header when request omits client secret (#21351) #21374

Parse OAuth Authorization header when request omits client secret (#21351) #21374

Conversation

hickford commented Oct 7, 2022

zeripath commented Oct 7, 2022

hickford commented Oct 8, 2022