Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth refresh handler should require client authentication #21418

Closed
hickford opened this issue Oct 12, 2022 · 0 comments · Fixed by #21421
Closed

OAuth refresh handler should require client authentication #21418

hickford opened this issue Oct 12, 2022 · 0 comments · Fixed by #21421
Labels
type/bug

Comments

@hickford
Copy link
Contributor

hickford commented Oct 12, 2022
edited
Loading

The OAuth authorization_code handler authenticates the client by validating the client secret

gitea/routers/web/auth/oauth.go

Lines 703 to 713 in 9862936

if !app.ValidateClientSecret([]byte(form.ClientSecret)) {
errorDescription := "invalid client secret"
if form.ClientSecret == "" {
errorDescription = "invalid empty client secret"
}
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
ErrorDescription: errorDescription,
})
return
}

According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 , this should also happen when "Refreshing an Access Token"

The authorization server MUST ... require client authentication for confidential clients

but handleRefreshToken doesn't do this

gitea/routers/web/auth/oauth.go

Line 658 in 9862936

func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) {

@hickford hickford mentioned this issue Oct 12, 2022
Merged
lunny added a commit that referenced this issue Oct 23, 2022
@hickford @lunny
Require authentication for OAuth token refresh (#21421)
afebbf2 
According to the OAuth spec
https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing
an Access Token"

> The authorization server MUST ... require client authentication for
confidential clients


Fixes #21418

Co-authored-by: Gusted <williamzijl7@hotmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Require authentication for OAuth token refresh hickford/gitea
1 participant
@hickford