Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Parse OAuth Authorization header when request omits client secret (go…
…-gitea#21351) (go-gitea#21374) Backport go-gitea#21351 This fixes error "unauthorized_client: invalid client secret" when client includes secret in Authorization header rather than request body. OAuth spec permits both: https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1 Clients in possession of a client password MAY use the HTTP Basic authentication scheme ... Alternatively, the authorization server MAY support including the client credentials in the request-body Sanity validation that client id and client secret in request are consistent with Authorization header. Improve error descriptions. Error codes remain the same. Co-authored-by: wxiaoguang <[email protected]> Co-authored-by: zeripath <[email protected]>
- Loading branch information