Require authentication for OAuth token refresh

go-gitea · Oct 21, 2022 · 4aeb963 · 4aeb963
1 parent e828564
commit 4aeb963
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 12 deletions.
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
@@ -48,6 +48,7 @@ const (
 // TODO move error and responses to SDK or models
 
 // AuthorizeErrorCode represents an error code specified in RFC 6749
+// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2.1
 type AuthorizeErrorCode string
 
 const (
@@ -68,6 +69,7 @@ const (
 )
 
 // AuthorizeError represents an error type specified in RFC 6749
+// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2.1
 type AuthorizeError struct {
  ErrorCode AuthorizeErrorCode `json:"error" form:"error"`
  ErrorDescription string
@@ -80,6 +82,7 @@ func (err AuthorizeError) Error() string {
 }
 
 // AccessTokenErrorCode represents an error code specified in RFC 6749
+// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
 type AccessTokenErrorCode string
 
 const (
@@ -98,6 +101,7 @@ const (
 )
 
 // AccessTokenError represents an error response specified in RFC 6749
+// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
 type AccessTokenError struct {
  ErrorCode AccessTokenErrorCode `json:"error" form:"error"`
  ErrorDescription string `json:"error_description"`
@@ -129,6 +133,7 @@ const (
 )
 
 // AccessTokenResponse represents a successful access token response
+// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2
 type AccessTokenResponse struct {
  AccessToken string `json:"access_token"`
  TokenType TokenType `json:"token_type"`
@@ -663,6 +668,30 @@ func AccessTokenOAuth(ctx *context.Context) {
 }
 
 func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) {
+ app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID)
+ if err != nil {
+ handleAccessTokenError(ctx, AccessTokenError{
+ ErrorCode: AccessTokenErrorCodeInvalidClient,
+ ErrorDescription: fmt.Sprintf("cannot load client with client id: '%s'", form.ClientID),
+ })
+ return
+ }
+ // "The authorization server MUST ... require client authentication for confidential clients"
+ // https://datatracker.ietf.org/doc/html/rfc6749#section-6
+ if !app.ValidateClientSecret([]byte(form.ClientSecret)) {
+ errorDescription := "invalid client secret"
+ if form.ClientSecret == "" {
+ errorDescription = "invalid empty client secret"
+ }
+ // "invalid_client ... Client authentication failed"
+ // https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+ handleAccessTokenError(ctx, AccessTokenError{
+ ErrorCode: AccessTokenErrorCodeInvalidClient,
+ ErrorDescription: errorDescription,
+ })
+ return
+ }
+
  token, err := oauth2.ParseToken(form.RefreshToken, serverKey)
  if err != nil {
  handleAccessTokenError(ctx, AccessTokenError{

diff --git a/tests/integration/oauth_test.go b/tests/integration/oauth_test.go
@@ -299,10 +299,11 @@ func TestAccessTokenExchangeWithBasicAuth(t *testing.T) {
  "client_secret": "inconsistent",
  })
  req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")
+ resp = MakeRequest(t, req, http.StatusBadRequest)
  parsedError = new(auth.AccessTokenError)
  assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
  assert.Equal(t, "invalid_request", string(parsedError.ErrorCode))
- assert.Equal(t, "client_id in request body inconsistent with Authorization header", parsedError.ErrorDescription)
+ assert.Equal(t, "client_secret in request body inconsistent with Authorization header", parsedError.ErrorDescription)
 }
 
 func TestRefreshTokenInvalidation(t *testing.T) {
@@ -329,32 +330,58 @@ func TestRefreshTokenInvalidation(t *testing.T) {
  // test without invalidation
  setting.OAuth2.InvalidateRefreshTokens = false
 
- refreshReq := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
+ req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
+ "grant_type": "refresh_token",
+ "client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
+ // omit secret
+ "redirect_uri": "a",
+ "refresh_token": parsed.RefreshToken,
+ })
+ resp = MakeRequest(t, req, http.StatusBadRequest)
+ parsedError := new(auth.AccessTokenError)
+ assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
+ assert.Equal(t, "invalid_client", string(parsedError.ErrorCode))
+ assert.Equal(t, "invalid empty client secret", parsedError.ErrorDescription)
+
+ req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
+ "grant_type": "refresh_token",
+ "client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
+ "client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
+ "redirect_uri": "a",
+ "refresh_token": "UNEXPECTED",
+ })
+ resp = MakeRequest(t, req, http.StatusBadRequest)
+ parsedError = new(auth.AccessTokenError)
+ assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
+ assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
+ assert.Equal(t, "unable to parse refresh token", parsedError.ErrorDescription)
+
+ req = NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
  "grant_type": "refresh_token",
  "client_id": "da7da3ba-9a13-4167-856f-3899de0b0138",
  "client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
  "redirect_uri": "a",
  "refresh_token": parsed.RefreshToken,
  })
 
- bs, err := io.ReadAll(refreshReq.Body)
+ bs, err := io.ReadAll(req.Body)
  assert.NoError(t, err)
 
- refreshReq.Body = io.NopCloser(bytes.NewReader(bs))
- MakeRequest(t, refreshReq, http.StatusOK)
+ req.Body = io.NopCloser(bytes.NewReader(bs))
+ MakeRequest(t, req, http.StatusOK)
 
- refreshReq.Body = io.NopCloser(bytes.NewReader(bs))
- MakeRequest(t, refreshReq, http.StatusOK)
+ req.Body = io.NopCloser(bytes.NewReader(bs))
+ MakeRequest(t, req, http.StatusOK)
 
  // test with invalidation
  setting.OAuth2.InvalidateRefreshTokens = true
- refreshReq.Body = io.NopCloser(bytes.NewReader(bs))
- MakeRequest(t, refreshReq, http.StatusOK)
+ req.Body = io.NopCloser(bytes.NewReader(bs))
+ MakeRequest(t, req, http.StatusOK)
 
  // repeat request should fail
- refreshReq.Body = io.NopCloser(bytes.NewReader(bs))
- resp = MakeRequest(t, refreshReq, http.StatusBadRequest)
- parsedError := new(auth.AccessTokenError)
+ req.Body = io.NopCloser(bytes.NewReader(bs))
+ resp = MakeRequest(t, req, http.StatusBadRequest)
+ parsedError = new(auth.AccessTokenError)
  assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsedError))
  assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
  assert.Equal(t, "token was already used", parsedError.ErrorDescription)