I'm currently integrating an OAuth2 Provider in Gitea. I'm using RFC 6749 as model. Currently only the Authorization Code Flow gets implemented due to security concerns for the other flows. I also plan to implement the PKCE Extension to support mobile and "serverless" clients.
Scopes is not a part of this PR and will be integrated until scopes are implemented in general.
I'm open for contributions and feedback. The current code is not final and is absolutely subject to change.
An additional access token middleware must be added to the api but is not implemented yet.