-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parse OAuth Authorization header when request omits client secret #21351
Conversation
0f44d2e
to
e624e1a
Compare
@wxiaoguang This suffices for git-ecosystem/git-credential-manager#879 |
It also looks good to me. Could there be some details about how this PR fixes the problem? Then the details can be put in the commit message and maintainers in the future can also understand it. And a small question about the ErrorDescription, will they be used by clients or should they be kept stable (never-changed)? |
…ient includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1 > Clients in possession of a client password MAY use the HTTP Basic authentication scheme ... Alternatively, the authorization server MAY support including the client credentials in the request-body Sanity validation that client id and client secret in request are consistent with Authorization header. Improve error descriptions. Error codes remain the same.
Added details to commit message and PR description. The prescribed error codes remain the same. I change the human-readable description to "provide additional information" https://www.rfc-editor.org/rfc/rfc6749#section-5.2 |
This comment was marked as off-topic.
This comment was marked as off-topic.
I think it's worth to be backported to 1.17, how do you think? |
@wxiaoguang Good idea. What's the process to backport? |
Check out the 1.17 branch, create a backport branch on it And here is some document: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md#backports-and-frontports |
Thanks. I think it would also be necessary to backport #21293 . |
…-gitea#21351) This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both. Sanity validation that client id and client secret in request are consistent with Authorization header. Improve error descriptions. Error codes remain the same. Co-authored-by: wxiaoguang <[email protected]> Co-authored-by: zeripath <[email protected]>
* upstream/main: (34 commits) Fix formatted link for PR review notifications to matrix (go-gitea#21319) Show private data in feeds (go-gitea#21369) Add nicer error handling on template compile errors (go-gitea#21350) Fix some typos and update db transaction demo in backend guideline (go-gitea#21322) Refactor parseTreeEntries, speed up tree list (go-gitea#21368) Add GET and DELETE endpoints for Docker blob uploads (go-gitea#21367) Make external issue tracker regexp configurable via API (go-gitea#21338) Add new CSS variables --color-accent and --color-small-accent (go-gitea#21305) Set SemverCompatible to false for Conan packages (go-gitea#21275) Parse OAuth Authorization header when request omits client secret (go-gitea#21351) Disable Firefox E2E tests (go-gitea#21363) Add redirect of /upgrade/ to /upgrade-from-gitea/ on docs site (go-gitea#21330) Update to go-enry v2.8.3 (go-gitea#21360) Update go to 1.19 (go-gitea#21361) SessionUser protection against nil pointer dereference (go-gitea#21358) Fix and improve incorrect error messages (go-gitea#21342) Fix default theme-auto selector when nologin (go-gitea#21346) Add `stat` to `ToCommit` function for speed (go-gitea#21337) Fix typo in API comment document (go-gitea#21347) Update comment about repository.DISABLED_REPO_UNITS in app.example.ini (go-gitea#21343) ...
…1351) (#21374) Backport #21351 This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1 Clients in possession of a client password MAY use the HTTP Basic authentication scheme ... Alternatively, the authorization server MAY support including the client credentials in the request-body Sanity validation that client id and client secret in request are consistent with Authorization header. Improve error descriptions. Error codes remain the same. Co-authored-by: wxiaoguang <[email protected]> Co-authored-by: zeripath <[email protected]>
…-gitea#21351) (go-gitea#21374) Backport go-gitea#21351 This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1 Clients in possession of a client password MAY use the HTTP Basic authentication scheme ... Alternatively, the authorization server MAY support including the client credentials in the request-body Sanity validation that client id and client secret in request are consistent with Authorization header. Improve error descriptions. Error codes remain the same. Co-authored-by: wxiaoguang <[email protected]> Co-authored-by: zeripath <[email protected]>
This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1
Sanity validation that client id and client secret in request are consistent with Authorization header.
Improve error descriptions. Error codes remain the same.
I believe further improvements to OAuth remain necessary, in particular explicit client type #21299.