source.dussan.org Git - gitea.git/commit

author	Giteabot <teabot@gitea.io>
	Thu, 2 May 2024 19:06:32 +0000 (03:06 +0800)
committer	GitHub <noreply@github.com>
	Thu, 2 May 2024 19:06:32 +0000 (19:06 +0000)
commit	6d83f5eddc0f394f6386e80b86a3221f6f4925ff
tree	d73da19331ea574cc7bc5a2c63cd5a88ae17d182	tree \| snapshot
parent	665a06c41f39427e496fe3ecbb9d4bc59b2325c4	commit \| diff

Prevent automatic OAuth grants for public clients (#30790) (#30836)

Backport #30790 by archer-321

This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section
10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: Archer <archer@beezig.eu>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>