OAuth2 OPTIONS /login/oauth/userinfo 405

[acquleo]

Description

I'm bypassing the #25469 issue and using the gitea version 1.20.0-rc.1.

I'm trying to complete an openid connect authentication using a blazor wasm and a library provided by microsoft.

the authentication process works for the following calls:
GET /.well-known/openid-configuration HTTP/1.1\r\n
POST /login/oauth/access_token HTTP/1.1\r\n

then the oidc library sends the following command to gitea:

OPTIONS /login/oauth/userinfo HTTP/1.1\r\n

Hypertext Transfer Protocol
OPTIONS /login/oauth/userinfo HTTP/1.1\r\n
Host: integra-swarm1:6442\r\n
Connection: keep-alive\r\n
Accept: /\r\n
Access-Control-Request-Method: GET\r\n
Access-Control-Request-Headers: authorization\r\n
Origin: http://127.0.0.1:5014\r\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.51\r\n
Sec-Fetch-Mode: cors\r\n
Referer: http://127.0.0.1:5014/\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.9\r\n
\r\n
[Full request URI: http://integra-swarm1:6442/login/oauth/userinfo]
[HTTP request 3/3]
[Prev request in frame: 40]
[Response in frame: 47]

unfortunately gitea answers with a 405 error

Hypertext Transfer Protocol
HTTP/1.1 405 Method Not Allowed\r\n
Server: nginx/1.24.0\r\n
Date: Fri, 23 Jun 2023 15:03:45 GMT\r\n
Content-Length: 0\r\n
Connection: keep-alive\r\n
Cache-Control: max-age=0, private, must-revalidate, no-transform\r\n
Set-Cookie: i_like_gitea=5c01e91e8e09815e; Path=/; HttpOnly; SameSite=Lax\r\n
Set-Cookie: _csrf=UzrbRAgJyJA-x31jQEUwWZuWuhM6MTY4NzUzMjYyNTM4ODQ2NzQzMQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax\r\n
X-Frame-Options: SAMEORIGIN\r\n
\r\n
[HTTP response 3/3]
[Time since request: 0.002656000 seconds]
[Prev request in frame: 40]
[Prev response in frame: 43]
[Request in frame: 45]
[Request URI: http://integra-swarm1:6442/login/oauth/userinfo]

could you help me investigate this issue?
Thanks

Gitea Version

1.20.0-rc.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

Ubuntu 22.04.2 LTS

How are you running Gitea?

I'm running GITEA as stack on docker swarm node.
image: gitea/gitea:1.20.0-rc.1
image: postgres:11-alpine

Database

PostgreSQL

[smainz]

I am having the same kind of issue with https://git.DOMAIN.de/login/oauth/access_token`.

This happenes while I was trying to connect Decap CMS (Formerly Netlfy CMS) to gitea.

curl -v -X OPTIONS https://git.DOMAIN.de/login/oauth/access_token
*   Trying xxx.xxx.xxx.xxx:443...
* Connected to git.DOMAIN.de (xxx.xxx.xxx.xxx) port 443
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> OPTIONS /login/oauth/access_token HTTP/1.1
> Host: git.DOMAIN.de
> User-Agent: curl/8.4.0
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 405 Method Not Allowed
< Allow: POST
< Cache-Control: max-age=0, private, must-revalidate, no-transform
< Content-Length: 0
< Date: Thu, 23 Nov 2023 09:04:46 GMT
< Set-Cookie: i_like_gitea=ea30e26239148ae4; Path=/; HttpOnly; Secure; SameSite=Lax
< Set-Cookie: _csrf=9jBlZDXs3fwyFMevxEHM94VtOl06MTcwMDczMDI4NjcwMTI1MTQ1MQ; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax
< X-Frame-Options: SAMEORIGIN
<
* Connection #0 to host git.DOMAIN.de left intact

The same happens on the public site:

curl -v -X OPTIONS https://gitea.com/login/oauth/access_token
*   Trying 18.166.250.135:443...
* Connected to gitea.com (18.166.250.135) port 443
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> OPTIONS /login/oauth/access_token HTTP/1.1
> Host: gitea.com
> User-Agent: curl/8.4.0
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 405 Method Not Allowed
< Date: Thu, 23 Nov 2023 08:59:30 GMT
< Content-Length: 0
< Connection: keep-alive
< Allow: HEAD
< Allow: POST
< Cache-Control: max-age=0, private, must-revalidate, no-transform
< Server: Caddy
< Set-Cookie: i_like_gitea=debe6004c3768862; Path=/; HttpOnly; Secure; SameSite=Lax
< Set-Cookie: _csrf=pkn0R0r1Xz2AShKRjB2IqTJfFhw6MTcwMDcyOTk3MDU3ODM5MjE4Mg; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax
< X-Frame-Options: SAMEORIGIN
<
* Connection #0 to host gitea.com left intact

In my app.ini I have this:

...
[cors]
ENABLED      = true
ALLOW_DOMAIN = *
#METHODS      = GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS
ALLOW_CREDENTIALS = true
...

Commenting or uncommenting the METHODS does not help.

gitea (current docker image version 1.21) runs insude a docker container and even in there I get the same

c8015346512a:/# curl -v -X OPTIONS http://localhost:3000/login/oauth/access_token
*   Trying [::1]:3000...
* Immediate connect fail for ::1: Address not available
*   Trying 127.0.0.1:3000...
* Connected to localhost (127.0.0.1) port 3000
> OPTIONS /login/oauth/access_token HTTP/1.1
> Host: localhost:3000
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 405 Method Not Allowed
< Allow: POST
< Cache-Control: max-age=0, private, must-revalidate, no-transform
< Set-Cookie: i_like_gitea=28bb32463fdd65a8; Path=/; HttpOnly; Secure; SameSite=Lax
< Set-Cookie: _csrf=UWFrG53L8AIgv77PE9d1pTXo9mw6MTcwMDczMDg5NzIyODAzMjI5OQ; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax
< X-Frame-Options: SAMEORIGIN
< Date: Thu, 23 Nov 2023 09:14:57 GMT
< Content-Length: 0
<
* Connection #0 to host localhost left intact

[wxiaoguang]

Could you try this fix? Make CORS work for oauth2 handlers #28184

[smainz]

Could you try this fix? Make CORS work for oauth2 handlers #28184

Thanks for fixing it.
Do you - by any chance - have a docker image including that fix or do I have to build one myself?

[denyskon]

@smainz You can use the latest nightly if the build already finished

[smainz]

@wxiaoguang Thanks for the fast fix. It works"