Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth should not require secret for public clients #25047

Closed
hickford opened this issue Jun 2, 2023 · 1 comment · Fixed by #25033
Closed

OAuth should not require secret for public clients #25047

hickford opened this issue Jun 2, 2023 · 1 comment · Fixed by #25033
Labels
type/bug

Comments

@hickford
Copy link
Contributor

hickford commented Jun 2, 2023
edited
Loading

According to OAuth spec https://datatracker.ietf.org/doc/html/rfc8252#section-8.5

it is NOT RECOMMENDED for authorization servers to require client authentication of public native apps clients using a shared secret

but Gitea requires client secret in both authorization code flow and refresh flow regardless of client type

gitea/routers/web/auth/oauth.go

Line 756 in 7a58733

if !app.ValidateClientSecret([]byte(form.ClientSecret)) {

gitea/routers/web/auth/oauth.go

Line 698 in 7a58733

if !app.ValidateClientSecret([]byte(form.ClientSecret)) {

Fix would be to validate secret if and only if app.ConfidentialClient
@denyskon
Copy link
Member

denyskon commented Jun 2, 2023

See #25033

@denyskon denyskon mentioned this issue Jun 2, 2023
Merged
6543 pushed a commit that referenced this issue Jun 3, 2023
@denyskon
Allow for PKCE flow without client secret + add docs (#25033)
7d855ef 
The PKCE flow according to [RFC
7636](https://datatracker.ietf.org/doc/html/rfc7636) allows for secure
authorization without the requirement to provide a client secret for the
OAuth app.

It is implemented in Gitea since #5378 (v1.8.0), however without being
able to omit client secret.
Since #21316 Gitea supports setting client type at OAuth app
registration.

As public clients are already forced to use PKCE since #21316, in this
PR the client secret check is being skipped if a public client is
detected. As Gitea seems to implement PKCE authorization correctly
according to the spec, this would allow for PKCE flow without providing
a client secret.

Also add some docs for it, please check language as I'm not a native
English speaker.

Closes #17107
Closes #25047
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 19, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow for PKCE flow without client secret + add docs denyskon/gitea
2 participants
@hickford @denyskon