Prevent automatic OAuth grants for public clients #30790
Merged
Commits on Apr 30, 2024
-
Prevent automatic OAuth grants for public clients
As detailed in Section 10.2 of RFC 6749 (The OAuth 2.0 Authorization Framework): > The authorization server SHOULD NOT process repeated authorization > requests automatically (without active resource owner interaction) > without authenticating the client [...]. Prior to this commit, Gitea would automatically issue authorization codes if the user previously granted access to the specific client. Especially with pre-registered OAuth clients using loopback interface redirects (like `git-credential-oauth`), this makes it possible for malicious applications with access to the same loopback interface and the ability to open a URL using the user's browser to impersonate public clients and get access to the user's account without manual interaction. This patch simply introduces an additional condition that prevents automatic grants if the application is not confidential.
Commits on May 2, 2024
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.