Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot disable pre-registered OAuth2 applications #29074

Closed
Adrian-Hirt opened this issue Feb 7, 2024 · 1 comment · Fixed by #30304
Closed

Cannot disable pre-registered OAuth2 applications #29074

Adrian-Hirt opened this issue Feb 7, 2024 · 1 comment · Fixed by #30304
Labels
type/proposal The new feature has not been accepted yet but needs to be discussed first.
Milestone
1.22.0

Comments

@Adrian-Hirt
Copy link
Contributor

Description

In #26291, pre-registered OAuth applications were added to gitea.

In my case, we would like to disable them (or rather OAuth2 capabilities in general), but this does not seem to be possible.

A) If I set DEFAULT_APPLICATIONS to an empty value, it will be ignored and both of the pre-configured applications will be enabled. Setting the config value to any other option will raise an error on startup, as there is no pre-configured application with that name. Am I missing something here? Setting this setting to an empty value probably should disable all the pre-configured applications, right?

B) In addition, setting ENABLE = false in the [oauth2] section in app.ini has no effect. It's not possible to view OAuth2 applications, but it's still possible to use the pre-defined applications to log-in, e.g. when using git-credential-manager. I'd expect the OAuth2 login endpoint to be completely disabled if the setting ENABLE is set to false, i.e. if this is set to false, logging-in with OAuth2 should be completely disabled, also for the predefined applications.

How to reproduce:

For A):

  • Set DEFAULT_APPLICATIONS = in [oauth2] section in app.ini
  • Set ENABLE = true in [oauth2] section in app.ini
  • Start webserver
  • Navigate to Admin Settings > Applications

Expected behaviour:

  • No pre-configured applications are listed

Observed behaviour:

  • Both git-credential-manager as well as git-credential-oauth applications are present

For B):

  • Set ENABLE = false in [oauth2] section in app.ini
  • Start webserver
  • Start an OAuth request from git-credential-manager, e.g. by cloning a repo via HTTPS

Expected behaviour:

  • The Authorization request should be rejected by gitea, as OAuth2 is disabled

Observed behaviour:

  • The Authorization request works equal to the case where ENABLE is set to true

Please let me know if you need any other info. I greatly appreciate the work done here, and I can just block these requests on the reverse proxy, but I still wanted to bring this issue to attention. Have a nice day!

Gitea Version

v1.21.5

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/Adrian-Hirt/0f1c5a26892018ac90a04f6aa1f5a4c0

Screenshots

No response

Git Version

No response

Operating System

Fedora 37

How are you running Gitea?

I'm running the binary from the download page.

Database

MySQL/MariaDB
@lunny lunny added type/proposal The new feature has not been accepted yet but needs to be discussed first. and removed type/bug labels Feb 7, 2024
@wxiaoguang wxiaoguang mentioned this issue Apr 6, 2024
Merged
@wxiaoguang
Copy link
Contributor

-> Fix oauth2 builtin application logic #30304

@wxiaoguang wxiaoguang added this to the 1.22.0 milestone Apr 7, 2024
lunny pushed a commit that referenced this issue Apr 8, 2024
@wxiaoguang
Fix oauth2 builtin application logic (#30304)
074a3e0 
Fix #29074 (allow to disable all builtin apps) and don't make the doctor
command remove the builtin apps.

By the way, rename refobject and joincond to camel case.
GiteaBot pushed a commit to GiteaBot/gitea that referenced this issue Apr 8, 2024
@wxiaoguang @GiteaBot
Fix oauth2 builtin application logic (go-gitea#30304)
65fcf2f 
Fix go-gitea#29074 (allow to disable all builtin apps) and don't make the doctor
command remove the builtin apps.

By the way, rename refobject and joincond to camel case.
@GiteaBot GiteaBot mentioned this issue Apr 8, 2024
Merged
wxiaoguang added a commit that referenced this issue Apr 8, 2024
@GiteaBot @wxiaoguang
Fix oauth2 builtin application logic (#30304) (#30327)
c541616 
Backport #30304 by wxiaoguang

Fix #29074 (allow to disable all builtin apps) and don't make the doctor
command remove the builtin apps.

By the way, rename refobject and joincond to camel case.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
AvengerMoJo pushed a commit to AvengerMoJo/gitea that referenced this issue Apr 8, 2024
@wxiaoguang @AvengerMoJo
Fix oauth2 builtin application logic (go-gitea#30304)
fdb29a6 
Fix go-gitea#29074 (allow to disable all builtin apps) and don't make the doctor
command remove the builtin apps.

By the way, rename refobject and joincond to camel case.
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Jul 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/proposal The new feature has not been accepted yet but needs to be discussed first.
Projects
None yet
Milestone
1.22.0
Development

Successfully merging a pull request may close this issue.

Fix oauth2 builtin application logic wxiaoguang/gitea
3 participants
@lunny @wxiaoguang @Adrian-Hirt