Record OAuth client type at registration (#21316)

The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public. Previously Gitea assumed all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. Require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message Fixes #21299 Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
author: M Hickford <mirth.hickford@gmail.com> 2022-10-24 09:59:24 +0200
committer: GitHub <noreply@github.com> 2022-10-24 15:59:24 +0800
commit: 191a74d62254ca00be2ccdf7e3afe69c0f9d6c12 (patch)
tree: 68ea1c1f73f2e82c199fc989131f2d23f7ada713 /modules
parent: e1ce45eabf25175d06472fadd01261548a48f1fd (diff)
download: gitea-191a74d62254ca00be2ccdf7e3afe69c0f9d6c12.tar.gz
gitea-191a74d62254ca00be2ccdf7e3afe69c0f9d6c12.zip
2 files changed, 17 insertions, 14 deletions
diff --git a/modules/convert/convert.go b/modules/convert/convert.go
index 187c67fa76..8c92bbb371 100644
--- a/modules/convert/convert.go
+++ b/modules/convert/convert.go
@@ -392,12 +392,13 @@ func ToTopicResponse(topic *repo_model.Topic) *api.TopicResponse {
 // ToOAuth2Application convert from auth.OAuth2Application to api.OAuth2Application
 func ToOAuth2Application(app *auth.OAuth2Application) *api.OAuth2Application {
 	return &api.OAuth2Application{
-		ID:           app.ID,
-		Name:         app.Name,
-		ClientID:     app.ClientID,
-		ClientSecret: app.ClientSecret,
-		RedirectURIs: app.RedirectURIs,
-		Created:      app.CreatedUnix.AsTime(),
+		ID:                 app.ID,
+		Name:               app.Name,
+		ClientID:           app.ClientID,
+		ClientSecret:       app.ClientSecret,
+		ConfidentialClient: app.ConfidentialClient,
+		RedirectURIs:       app.RedirectURIs,
+		Created:            app.CreatedUnix.AsTime(),
 	}
 }
 
diff --git a/modules/structs/user_app.go b/modules/structs/user_app.go
index 44df5a6a49..4cfa5538c8 100644
--- a/modules/structs/user_app.go
+++ b/modules/structs/user_app.go
@@ -30,19 +30,21 @@ type CreateAccessTokenOption struct {
 
 // CreateOAuth2ApplicationOptions holds options to create an oauth2 application
 type CreateOAuth2ApplicationOptions struct {
-	Name         string   `json:"name" binding:"Required"`
-	RedirectURIs []string `json:"redirect_uris" binding:"Required"`
+	Name               string   `json:"name" binding:"Required"`
+	ConfidentialClient bool     `json:"confidential_client"`
+	RedirectURIs       []string `json:"redirect_uris" binding:"Required"`
 }
 
 // OAuth2Application represents an OAuth2 application.
 // swagger:response OAuth2Application
 type OAuth2Application struct {
-	ID           int64     `json:"id"`
-	Name         string    `json:"name"`
-	ClientID     string    `json:"client_id"`
-	ClientSecret string    `json:"client_secret"`
-	RedirectURIs []string  `json:"redirect_uris"`
-	Created      time.Time `json:"created"`
+	ID                 int64     `json:"id"`
+	Name               string    `json:"name"`
+	ClientID           string    `json:"client_id"`
+	ClientSecret       string    `json:"client_secret"`
+	ConfidentialClient bool      `json:"confidential_client"`
+	RedirectURIs       []string  `json:"redirect_uris"`
+	Created            time.Time `json:"created"`
 }
 
 // OAuth2ApplicationList represents a list of OAuth2 applications.
author	M Hickford <mirth.hickford@gmail.com>	2022-10-24 09:59:24 +0200
committer	GitHub <noreply@github.com>	2022-10-24 15:59:24 +0800
commit	191a74d62254ca00be2ccdf7e3afe69c0f9d6c12 (patch)
tree	68ea1c1f73f2e82c199fc989131f2d23f7ada713 /modules
parent	e1ce45eabf25175d06472fadd01261548a48f1fd (diff)
download	gitea-191a74d62254ca00be2ccdf7e3afe69c0f9d6c12.tar.gz gitea-191a74d62254ca00be2ccdf7e3afe69c0f9d6c12.zip