aboutsummaryrefslogtreecommitdiffstats
path: root/tests/integration
diff options
context:
space:
mode:
authorDenys Konovalov <kontakt@denyskon.de>2023-06-03 05:59:28 +0200
committerGitHub <noreply@github.com>2023-06-03 05:59:28 +0200
commit7d855efb1fe6b97c5d87492f67ed6aefd31b2474 (patch)
treef980b82bcbadeb8c6ed6c2fe13f540a838bc619b /tests/integration
parent7fca4056c424889488993e0226d6622e6b4fe098 (diff)
downloadgitea-7d855efb1fe6b97c5d87492f67ed6aefd31b2474.tar.gz
gitea-7d855efb1fe6b97c5d87492f67ed6aefd31b2474.zip
Allow for PKCE flow without client secret + add docs (#25033)
The PKCE flow according to [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) allows for secure authorization without the requirement to provide a client secret for the OAuth app. It is implemented in Gitea since #5378 (v1.8.0), however without being able to omit client secret. Since #21316 Gitea supports setting client type at OAuth app registration. As public clients are already forced to use PKCE since #21316, in this PR the client secret check is being skipped if a public client is detected. As Gitea seems to implement PKCE authorization correctly according to the spec, this would allow for PKCE flow without providing a client secret. Also add some docs for it, please check language as I'm not a native English speaker. Closes #17107 Closes #25047
Diffstat (limited to 'tests/integration')
-rw-r--r--tests/integration/oauth_test.go23
1 files changed, 23 insertions, 0 deletions
diff --git a/tests/integration/oauth_test.go b/tests/integration/oauth_test.go
index 9649b256a9..e9b69f5f14 100644
--- a/tests/integration/oauth_test.go
+++ b/tests/integration/oauth_test.go
@@ -120,6 +120,29 @@ func TestAccessTokenExchange(t *testing.T) {
assert.True(t, len(parsed.RefreshToken) > 10)
}
+func TestAccessTokenExchangeWithPublicClient(t *testing.T) {
+ defer tests.PrepareTestEnv(t)()
+ req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
+ "grant_type": "authorization_code",
+ "client_id": "ce5a1322-42a7-11ed-b878-0242ac120002",
+ "redirect_uri": "http://127.0.0.1",
+ "code": "authcodepublic",
+ "code_verifier": "N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt",
+ })
+ resp := MakeRequest(t, req, http.StatusOK)
+ type response struct {
+ AccessToken string `json:"access_token"`
+ TokenType string `json:"token_type"`
+ ExpiresIn int64 `json:"expires_in"`
+ RefreshToken string `json:"refresh_token"`
+ }
+ parsed := new(response)
+
+ assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), parsed))
+ assert.True(t, len(parsed.AccessToken) > 10)
+ assert.True(t, len(parsed.RefreshToken) > 10)
+}
+
func TestAccessTokenExchangeJSON(t *testing.T) {
defer tests.PrepareTestEnv(t)()
req := NewRequestWithJSON(t, "POST", "/login/oauth/access_token", map[string]string{