source.dussan.org Git - gitea.git/commit

author	M Hickford <mirth.hickford@gmail.com>
	Sat, 8 Oct 2022 08:53:17 +0000 (09:53 +0100)
committer	GitHub <noreply@github.com>
	Sat, 8 Oct 2022 08:53:17 +0000 (16:53 +0800)
commit	14bc4d79c1bf1826aab50a8947ab72414202b28a
tree	af682fc95c2ab029a328487e15adeece2dbe4350	tree \| snapshot
parent	672d54fafa5c5a805886b4125daca8ba1d490af9	commit \| diff

Parse OAuth Authorization header when request omits client secret (#21351) (#21374)

Backport #21351

This fixes error "unauthorized_client: invalid client secret" when
client includes secret in Authorization header rather than request body.
OAuth spec permits both:
https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1

Clients in possession of a client password MAY use the HTTP Basic
authentication scheme ... Alternatively, the authorization server MAY
support including the client credentials in the request-body

Sanity validation that client id and client secret in request are
consistent with Authorization header.

Improve error descriptions. Error codes remain the same.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: zeripath <art27@cantab.net>

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD: https://github.com/go-gitea/gitea

RSS Atom