Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate OAuth2 Provider #5378

Merged
merged 92 commits into from Mar 8, 2019

Conversation

@jonasfranz
Copy link
Member

jonasfranz commented Nov 22, 2018

I'm currently integrating an OAuth2 Provider in Gitea. I'm using RFC 6749 as model. Currently only the Authorization Code Flow gets implemented due to security concerns for the other flows. I also plan to implement the PKCE Extension to support mobile and "serverless" clients.

Scopes is not a part of this PR and will be integrated until scopes are implemented in general.

I'm open for contributions and feedback. The current code is not final and is absolutely subject to change.

Resolves #27.

TODO:

  • Database Structure
  • Authorization Endpoint
  • Access Token Endpoint
  • Access Token validation (middleware)
  • Refresh Tokens
  • PKCE
  • Application Settings UI
  • Authorize UI (just basic UI, @kolaente will improve it)
  • Well known routes will be implemented in another PR
  • Tests, Tests, Tests, Tests
  • ....

jonasfranz and others added some commits Nov 12, 2018

Add oauth2 application
Signed-off-by: Jonas Franz <info@jonasfranz.software>
Add grant and redirection
Signed-off-by: Jonas Franz <info@jonasfranz.software>

@jonasfranz jonasfranz added this to the 1.x.x milestone Nov 22, 2018

@jonasfranz jonasfranz requested review from lunny and kolaente and removed request for lunny and kolaente Nov 22, 2018

Show resolved Hide resolved models/oauth2_application.go Outdated
Show resolved Hide resolved models/oauth2_application.go
Show resolved Hide resolved models/oauth2_application.go
Show resolved Hide resolved models/oauth2_application.go Outdated
Show resolved Hide resolved models/oauth2_application.go Outdated
Show resolved Hide resolved models/oauth2_application.go Outdated
Show resolved Hide resolved modules/auth/user_form.go Outdated
Show resolved Hide resolved routers/user/oauth.go
Show resolved Hide resolved routers/user/oauth.go Outdated
Show resolved Hide resolved routers/user/oauth.go

jonasfranz added some commits Nov 24, 2018

Add copyright headers
Reorder imports
Add missing lint comments
Other minor changes

Signed-off-by: Jonas Franz <info@jonasfranz.software>
Add access token cleanup cronjob
Add documentation for lifetime

Signed-off-by: Jonas Franz <info@jonasfranz.software>

jonasfranz added some commits Dec 21, 2018

Merge branch 'master' of https://github.com/go-gitea/gitea into featu…
…re/oauth2

Signed-off-by: Jonas Franz <info@jonasfranz.software>

# Conflicts:
#	Gopkg.lock
Use JWT tokens instead of "access tokens"
Signed-off-by: Jonas Franz <info@jonasfranz.software>
Fix some lint and documentation problems
Signed-off-by: Jonas Franz <info@jonasfranz.software>
@jonasfranz

This comment has been minimized.

Copy link
Member Author

jonasfranz commented Dec 22, 2018

@filipnavara @lafriks I've reworked the access token system.

  • Access and refresh tokens are now JWTs
  • access tokens have a limited lifetime of 3600s (defined in config)
  • refresh tokens have a lifetime of ~1 month (defined in config)

An additional access token middleware must be added to the api but is not implemented yet.

Fix misspells
Signed-off-by: Jonas Franz <info@jonasfranz.software>

@jonasfranz jonasfranz requested review from lunny and lafriks Mar 1, 2019

Show resolved Hide resolved routers/routes/routes.go
@lunny

This comment has been minimized.

Copy link
Member

lunny commented Mar 2, 2019

The authorize page below need some space between the head and the dailog.
image

And the redirectURI check is too restricted. I think app.ContainsRedirectURI should allow url queries at least and support subpath is better. See https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#redirect-urls, When redirect URI in application setting is http://example.com/path then http://example.com/path?abc and http://example.com/path/subdir/other should be OK but currently not.

@lunny

This comment has been minimized.

Copy link
Member

lunny commented Mar 2, 2019

@jonasfranz

This comment has been minimized.

Copy link
Member Author

jonasfranz commented Mar 5, 2019

@lunny I would suggest to match the whole url as recommended here: https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uri-validation/

jonasfranz added some commits Mar 5, 2019

@jonasfranz

This comment has been minimized.

Copy link
Member Author

jonasfranz commented Mar 5, 2019

@lunny Did you reload your cache before visiting the authorize page? I do have indeed a padding-top in Chromium and Firefox.

Merge branch 'master' of https://github.com/go-gitea/gitea into featu…
…re/oauth2

# Conflicts:
#	public/css/index.css

@jonasfranz jonasfranz requested a review from lunny Mar 5, 2019

@lunny

This comment has been minimized.

Copy link
Member

lunny commented Mar 5, 2019

@jonasfranz I think you are right, that's my Chrome cache problem. CI is failed, otherwise LGTM

@GiteaBot GiteaBot added lgtm/done and removed lgtm/need 1 labels Mar 5, 2019

@lunny

lunny approved these changes Mar 5, 2019

techknowlogick added some commits Mar 8, 2019

db session has been resolved

@techknowlogick

This comment has been minimized.

Copy link
Member

techknowlogick commented Mar 8, 2019

make LG-TM work

@techknowlogick techknowlogick merged commit e777c6b into go-gitea:master Mar 8, 2019

2 checks passed

approvals/lgtm this commit looks good
continuous-integration/drone/pr the build was successful
Details
@techknowlogick

This comment has been minimized.

Copy link
Member

techknowlogick commented Mar 8, 2019

Thanks @jonasfranz!!!

@jolheiser

This comment has been minimized.

Copy link
Member

jolheiser commented Mar 8, 2019

🎉

@0x5c

This comment has been minimized.

Copy link
Contributor

0x5c commented Mar 8, 2019

Awesome! \o/

@skddc

This comment has been minimized.

Copy link

skddc commented Mar 9, 2019

applause

Mikescher added a commit to Mikescher/gitea that referenced this pull request Mar 20, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.