From e8bc0f8e533bdc52559f4e86bccf57a13478d966 Mon Sep 17 00:00:00 2001 From: Archer Date: Tue, 30 Apr 2024 21:20:43 +0200 Subject: [PATCH] Prevent automatic OAuth grants for public clients As detailed in Section 10.2 of RFC 6749 (The OAuth 2.0 Authorization Framework): > The authorization server SHOULD NOT process repeated authorization > requests automatically (without active resource owner interaction) > without authenticating the client [...]. Prior to this commit, Gitea would automatically issue authorization codes if the user previously granted access to the specific client. Especially with pre-registered OAuth clients using loopback interface redirects (like `git-credential-oauth`), this makes it possible for malicious applications with access to the same loopback interface and the ability to open a URL using the user's browser to impersonate public clients and get access to the user's account without manual interaction. This patch simply introduces an additional condition that prevents automatic grants if the application is not confidential. --- routers/web/auth/oauth.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index c9cb7859cd83..354e70bcbfff 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -470,8 +470,9 @@ func AuthorizeOAuth(ctx *context.Context) { return } - // Redirect if user already granted access - if grant != nil { + // Redirect if user already granted access and the application is confidential. + // I.e. always require authorization for public clients as recommended by RFC 6749 Section 10.2 + if app.ConfidentialClient && grant != nil { code, err := grant.GenerateNewAuthorizationCode(ctx, form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod) if err != nil { handleServerError(ctx, form.State, form.RedirectURI)