source.dussan.org Git - gitea.git/commit

author	Shivaram Lingamneni <slingamn@cs.stanford.edu>
	Tue, 23 Jul 2024 12:43:03 +0000 (14:43 +0200)
committer	GitHub <noreply@github.com>
	Tue, 23 Jul 2024 12:43:03 +0000 (12:43 +0000)
commit	2f1cb1d28918fb19ff21e0a86bc9054a9fb56485
tree	3dae79eee17e13ef832bc56cd69ac56900671b7c	tree \| snapshot
parent	24f9390f349581e5beb74c54e1f0af1998c8be71	commit \| diff

fix OIDC introspection authentication (#31632)

See discussion on #31561 for some background.

The introspect endpoint was using the OIDC token itself for
authentication. This fixes it to use basic authentication with the
client ID and secret instead:

* Applications with a valid client ID and secret should be able to
  successfully introspect an invalid token, receiving a 200 response
  with JSON data that indicates the token is invalid
* Requests with an invalid client ID and secret should not be able
  to introspect, even if the token itself is valid

Unlike #31561 (which just future-proofed the current behavior against
future changes to `DISABLE_QUERY_AUTH_TOKEN`), this is a potential
compatibility break (some introspection requests without valid client
IDs that would previously succeed will now fail). Affected deployments
must begin sending a valid HTTP basic authentication header with their
introspection requests, with the username set to a valid client ID and
the password set to the corresponding client secret.

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD: https://github.com/go-gitea/gitea

RSS Atom

modules/base/tool.go		diff \| blob \| history
modules/base/tool_test.go		diff \| blob \| history
routers/web/auth/oauth.go		diff \| blob \| history
tests/integration/oauth_test.go		diff \| blob \| history