Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Require authentication for OAuth token refresh #21421

Merged
merged 7 commits into from
Oct 23, 2022

Conversation

hickford
Copy link
Contributor

@hickford hickford commented Oct 12, 2022

According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing an Access Token"

The authorization server MUST ... require client authentication for confidential clients

Fixes #21418

@hickford hickford force-pushed the oauth-authenticate-refresh branch 2 times, most recently from 6b5edf7 to b18216c Compare October 12, 2022 20:20
@hickford hickford marked this pull request as ready for review October 12, 2022 20:20
routers/web/auth/oauth.go Outdated Show resolved Hide resolved
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Oct 14, 2022
@hickford hickford requested a review from Gusted October 21, 2022 14:57
@Gusted Gusted added this to the 1.18.0 milestone Oct 22, 2022
@Gusted Gusted added the type/enhancement An improvement of existing functionality label Oct 22, 2022
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Oct 22, 2022
@Gusted Gusted added lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. backport/v1.17 and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Oct 22, 2022
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Oct 22, 2022
@lunny
Copy link
Member

lunny commented Oct 23, 2022

make L-G-T-M work

@lunny lunny merged commit afebbf2 into go-gitea:main Oct 23, 2022
@lunny
Copy link
Member

lunny commented Oct 24, 2022

Please send backport.

zjjhot added a commit to zjjhot/gitea that referenced this pull request Oct 24, 2022
* upstream/main:
  adapt README_{Country}.md stype name in localizedExtensions (go-gitea#21486)
  dump: Add option to skip index dirs (go-gitea#21501)
  Use recommended vscode configuration in gitpod environments (go-gitea#21537)
  Expand "Go to File" button again, fix 'Add File' margin (go-gitea#21543)
  Add yardenshoham to maintainers (go-gitea#21566)
  Refactor git command arguments and make all arguments to be safe to be used (go-gitea#21535)
  Update binding to fix bugs (go-gitea#21556)
  Link mentioned user in markdown only if they are visible to viewer (go-gitea#21554)
  Require authentication for OAuth token refresh (go-gitea#21421)
  CSS color enhancements (go-gitea#21534)
  Allow package version sorting (go-gitea#21453)
  Add link to user profile in markdown mention only if user exists (go-gitea#21533)
  Update milestone counters when issue is deleted (go-gitea#21459)
  Prevent Authorization header for presigned LFS urls (go-gitea#21531)
  Remove deleted repos from searchresult (go-gitea#21512)
  Remove unnecessary debug log (go-gitea#21536)
  Added check for disabled Packages (go-gitea#21540)
  Decouple HookTask from Repository (go-gitea#17940)
  Add color previews in markdown (go-gitea#21474)
  Fix generating compare link (go-gitea#21519)
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/enhancement An improvement of existing functionality
Projects
None yet
Development

Successfully merging this pull request may close these issues.

OAuth refresh handler should require client authentication
4 participants