Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Parse OAuth Authorization header when request omits client secret #21351

Merged
merged 3 commits into from
Oct 7, 2022

Conversation

hickford
Copy link
Contributor

@hickford hickford commented Oct 5, 2022

This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1

Clients in possession of a client password MAY use the HTTP Basic authentication scheme ... Alternatively, the authorization server MAY support including the client credentials in the request-body

Sanity validation that client id and client secret in request are consistent with Authorization header.

Improve error descriptions. Error codes remain the same.


I believe further improvements to OAuth remain necessary, in particular explicit client type #21299.

@hickford
Copy link
Contributor Author

hickford commented Oct 5, 2022

@wxiaoguang This suffices for git-ecosystem/git-credential-manager#879

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Oct 5, 2022
@wxiaoguang
Copy link
Contributor

It also looks good to me. Could there be some details about how this PR fixes the problem? Then the details can be put in the commit message and maintainers in the future can also understand it.

And a small question about the ErrorDescription, will they be used by clients or should they be kept stable (never-changed)?

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Oct 6, 2022
…ient includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1

> Clients in possession of a client password MAY use the HTTP Basic authentication scheme ... Alternatively, the authorization server MAY support including the   client credentials in the request-body

Sanity validation that client id and client secret in request are consistent with Authorization header.

Improve error descriptions. Error codes remain the same.
@hickford
Copy link
Contributor Author

hickford commented Oct 6, 2022

Added details to commit message and PR description.

The prescribed error codes remain the same. I change the human-readable description to "provide additional information" https://www.rfc-editor.org/rfc/rfc6749#section-5.2

@codecov-commenter

This comment was marked as off-topic.

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Oct 6, 2022
@Gusted Gusted added this to the 1.18.0 milestone Oct 6, 2022
@wxiaoguang wxiaoguang merged commit 34f509e into go-gitea:main Oct 7, 2022
@wxiaoguang
Copy link
Contributor

I think it's worth to be backported to 1.17, how do you think?

@hickford
Copy link
Contributor Author

hickford commented Oct 7, 2022

@wxiaoguang Good idea. What's the process to backport?

@wxiaoguang
Copy link
Contributor

Check out the 1.17 branch, create a backport branch on it
Then cherry pick the commit of this PR on main into the backport branch, and create a PR for the 1.17 branch.

And here is some document: https://github.com/go-gitea/gitea/blob/main/CONTRIBUTING.md#backports-and-frontports

@hickford
Copy link
Contributor Author

hickford commented Oct 7, 2022

Thanks. I think it would also be necessary to backport #21293 .

hickford added a commit to hickford/gitea that referenced this pull request Oct 7, 2022
…-gitea#21351)

This fixes error "unauthorized_client: invalid client secret" when
client includes secret in Authorization header rather than request body.
OAuth spec permits both.

Sanity validation that client id and client secret in request are
consistent with Authorization header.

Improve error descriptions. Error codes remain the same.

Co-authored-by: wxiaoguang <[email protected]>
Co-authored-by: zeripath <[email protected]>
zjjhot added a commit to zjjhot/gitea that referenced this pull request Oct 8, 2022
* upstream/main: (34 commits)
  Fix formatted link for PR review notifications to matrix (go-gitea#21319)
  Show private data in feeds (go-gitea#21369)
  Add nicer error handling on template compile errors (go-gitea#21350)
  Fix some typos and update db transaction demo in backend guideline (go-gitea#21322)
  Refactor parseTreeEntries, speed up tree list (go-gitea#21368)
  Add GET and DELETE endpoints for Docker blob uploads (go-gitea#21367)
  Make external issue tracker regexp configurable via API (go-gitea#21338)
  Add new CSS variables --color-accent and --color-small-accent (go-gitea#21305)
  Set SemverCompatible to false for Conan packages (go-gitea#21275)
  Parse OAuth Authorization header when request omits client secret (go-gitea#21351)
  Disable Firefox E2E tests (go-gitea#21363)
  Add redirect of /upgrade/ to /upgrade-from-gitea/ on docs site (go-gitea#21330)
  Update to go-enry v2.8.3 (go-gitea#21360)
  Update go to 1.19 (go-gitea#21361)
  SessionUser protection against nil pointer dereference (go-gitea#21358)
  Fix and improve incorrect error messages (go-gitea#21342)
  Fix default theme-auto selector when nologin (go-gitea#21346)
  Add `stat` to `ToCommit` function for speed (go-gitea#21337)
  Fix typo in API comment document (go-gitea#21347)
  Update comment about repository.DISABLED_REPO_UNITS in app.example.ini (go-gitea#21343)
  ...
wxiaoguang added a commit that referenced this pull request Oct 8, 2022
…1351) (#21374)

Backport #21351

This fixes error "unauthorized_client: invalid client secret" when
client includes secret in Authorization header rather than request body.
OAuth spec permits both:
https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1

Clients in possession of a client password MAY use the HTTP Basic
authentication scheme ... Alternatively, the authorization server MAY
support including the client credentials in the request-body

Sanity validation that client id and client secret in request are
consistent with Authorization header.

Improve error descriptions. Error codes remain the same.

Co-authored-by: wxiaoguang <[email protected]>
Co-authored-by: zeripath <[email protected]>
@6543 6543 added the backport/done All backports for this PR have been created label Oct 15, 2022
tyroneyeh added a commit to tyroneyeh/gitea that referenced this pull request Oct 24, 2022
…-gitea#21351) (go-gitea#21374)

Backport go-gitea#21351

This fixes error "unauthorized_client: invalid client secret" when
client includes secret in Authorization header rather than request body.
OAuth spec permits both:
https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1

Clients in possession of a client password MAY use the HTTP Basic
authentication scheme ... Alternatively, the authorization server MAY
support including the client credentials in the request-body

Sanity validation that client id and client secret in request are
consistent with Authorization header.

Improve error descriptions. Error codes remain the same.

Co-authored-by: wxiaoguang <[email protected]>
Co-authored-by: zeripath <[email protected]>
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants