forked from gitea/gitea
1
0
Fork 0
gitea/routers/web/auth
M Hickford 14bc4d79c1
Parse OAuth Authorization header when request omits client secret (#21351) (#21374)
Backport #21351

This fixes error "unauthorized_client: invalid client secret" when
client includes secret in Authorization header rather than request body.
OAuth spec permits both:
https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1

Clients in possession of a client password MAY use the HTTP Basic
authentication scheme ... Alternatively, the authorization server MAY
support including the client credentials in the request-body

Sanity validation that client id and client secret in request are
consistent with Authorization header.

Improve error descriptions. Error codes remain the same.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: zeripath <art27@cantab.net>
2022-10-08 16:53:17 +08:00
..
2fa.go Refactor auth package (#17962) 2022-01-02 21:12:35 +08:00
auth.go Prevent NPE when cache service is disabled (#19703) 2022-05-21 22:29:49 +08:00
linkaccount.go Move almost all functions' parameter db.Engine to context.Context (#19748) 2022-05-20 22:08:52 +08:00
main_test.go Use a struct as test options (#19393) 2022-04-14 21:58:21 +08:00
oauth.go Parse OAuth Authorization header when request omits client secret (#21351) (#21374) 2022-10-08 16:53:17 +08:00
oauth_test.go Use DisplayName() instead of FullName in Oauth provider (#19991) 2022-06-16 23:29:54 +01:00
openid.go Move almost all functions' parameter db.Engine to context.Context (#19748) 2022-05-20 22:08:52 +08:00
password.go Prevent NPE when cache service is disabled (#19703) 2022-05-21 22:29:49 +08:00
webauthn.go WebAuthn CredentialID field needs to be increased in size (#20530) (#20555) 2022-07-30 20:16:25 +02:00