1
0
Fork 0
forgejo/modules
M Hickford 191a74d622
Record OAuth client type at registration (#21316)
The OAuth spec [defines two types of
client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1),
confidential and public. Previously Gitea assumed all clients to be
confidential.

> OAuth defines two client types, based on their ability to authenticate
securely with the authorization server (i.e., ability to
>   maintain the confidentiality of their client credentials):
>
>   confidential
> Clients capable of maintaining the confidentiality of their
credentials (e.g., client implemented on a secure server with
> restricted access to the client credentials), or capable of secure
client authentication using other means.
>
>   **public
> Clients incapable of maintaining the confidentiality of their
credentials (e.g., clients executing on the device used by the resource
owner, such as an installed native application or a web browser-based
application), and incapable of secure client authentication via any
other means.**
>
> The client type designation is based on the authorization server's
definition of secure authentication and its acceptable exposure levels
of client credentials. The authorization server SHOULD NOT make
assumptions about the client type.

 https://datatracker.ietf.org/doc/html/rfc8252#section-8.4

> Authorization servers MUST record the client type in the client
registration details in order to identify and process requests
accordingly.

Require PKCE for public clients:
https://datatracker.ietf.org/doc/html/rfc8252#section-8.1

> Authorization servers SHOULD reject authorization requests from native
apps that don't use PKCE by returning an error message

Fixes #21299

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-24 15:59:24 +08:00
..
activitypub Refactor AssertExistsAndLoadBean to use generics (#20797) 2022-08-16 10:22:25 +08:00
analyze
auth
avatar Go 1.19 format (#20758) 2022-08-30 21:15:45 -05:00
base Add generic set type (#21408) 2022-10-12 13:18:26 +08:00
cache
charset Move go-licenses to generate and separate generate into a frontend and backend component (#21061) 2022-09-05 14:04:18 +08:00
container Add generic set type (#21408) 2022-10-12 13:18:26 +08:00
context Redirect to new repository owner (#21398) 2022-10-11 19:54:44 +08:00
convert Record OAuth client type at registration (#21316) 2022-10-24 15:59:24 +08:00
csv Go 1.19 format (#20758) 2022-08-30 21:15:45 -05:00
doctor Refactor git command arguments and make all arguments to be safe to be used (#21535) 2022-10-23 22:44:45 +08:00
emoji Go 1.19 format (#20758) 2022-08-30 21:15:45 -05:00
eventsource Move some files into models' sub packages (#20262) 2022-08-25 10:31:57 +08:00
generate
git Refactor git command arguments and make all arguments to be safe to be used (#21535) 2022-10-23 22:44:45 +08:00
gitgraph Refactor git command arguments and make all arguments to be safe to be used (#21535) 2022-10-23 22:44:45 +08:00
graceful Support Proxy protocol (#12527) 2022-08-21 19:20:43 +01:00
hcaptcha
highlight Upgrade chroma to v2.3.0 (#21259) 2022-09-26 13:50:03 +08:00
hostmatcher Add proxy host into allow list (#20798) 2022-08-16 20:15:54 -04:00
httpcache
httplib
indexer Refactor git command arguments and make all arguments to be safe to be used (#21535) 2022-10-23 22:44:45 +08:00
issue/template Add generic set type (#21408) 2022-10-12 13:18:26 +08:00
json
lfs
log test: use T.TempDir to create temporary test directory (#21043) 2022-09-04 16:14:53 +01:00
markup Add link to user profile in markdown mention only if user exists (#21533) 2022-10-23 01:15:52 +08:00
mcaptcha
metrics Move some files into models' sub packages (#20262) 2022-08-25 10:31:57 +08:00
migration Add more checks in migration code (#21011) 2022-09-04 13:47:56 +03:00
mirror
nosql fix broken insecureskipverify handling in rediss connection uris (#20967) 2022-08-29 16:38:49 +02:00
notification Decouple HookTask from Repository (#17940) 2022-10-21 18:21:56 +02:00
options Fix and improve incorrect error messages (#21342) 2022-10-06 07:00:54 +01:00
packages Add support for Chocolatey/NuGet v2 API (#21393) 2022-10-13 18:19:39 +08:00
paginator Remove unnecessary misspell ignore pattern (#21475) 2022-10-18 12:52:25 -04:00
password
pprof Go 1.19 format (#20758) 2022-08-30 21:15:45 -05:00
private log real ip of requests from ssh (#21216) 2022-10-11 16:57:37 +08:00
process
proxy
proxyprotocol Support Proxy protocol (#12527) 2022-08-21 19:20:43 +01:00
public Add generic set type (#21408) 2022-10-12 13:18:26 +08:00
queue Add generic set type (#21408) 2022-10-12 13:18:26 +08:00
recaptcha
references Remove unnecessary misspell ignore pattern (#21475) 2022-10-18 12:52:25 -04:00
regexplru
repository Refactor git command arguments and make all arguments to be safe to be used (#21535) 2022-10-23 22:44:45 +08:00
secret
session
setting Add system setting table with cache and also add cache supports for user setting (#18058) 2022-10-17 07:29:26 +08:00
sitemap
ssh Support Proxy protocol (#12527) 2022-08-21 19:20:43 +01:00
storage Save files in local storage as umask (#21198) 2022-09-24 21:04:14 +08:00
structs Record OAuth client type at registration (#21316) 2022-10-24 15:59:24 +08:00
svg
sync Add generic set type (#21408) 2022-10-12 13:18:26 +08:00
system Add system setting table with cache and also add cache supports for user setting (#18058) 2022-10-17 07:29:26 +08:00
templates Fix generating compare link (#21519) 2022-10-21 16:39:26 +08:00
test Refactor AssertExistsAndLoadBean to use generics (#20797) 2022-08-16 10:22:25 +08:00
timeutil Share HTML template renderers and create a watcher framework (#20218) 2022-08-28 10:43:25 +01:00
translation Make every not exist error unwrappable to a fs.ErrNotExist (#20891) 2022-10-18 07:50:37 +02:00
typesniffer
updatechecker Add system setting table with cache and also add cache supports for user setting (#18058) 2022-10-17 07:29:26 +08:00
upload
uri
user
util Make every not exist error unwrappable to a fs.ErrNotExist (#20891) 2022-10-18 07:50:37 +02:00
validation Add more checks in migration code (#21011) 2022-09-04 13:47:56 +03:00
watcher Share HTML template renderers and create a watcher framework (#20218) 2022-08-28 10:43:25 +01:00
web refactor webhook *NewPost (#20729) 2022-08-11 17:48:23 +02:00