Commit graph

10 commits

Author SHA1 Message Date
oliverpool
e1d93950ad feat: implement PKCE when acting as oauth2 client (for user login)
Closes #2766
2024-04-29 11:20:26 +02:00
oliverpool
ecfcbcb19f [BUG] prevent removing session cookie when redirect_uri query contains :// 2024-03-07 10:52:30 +01:00
Antonin Delpeuch
6338fe8bef
[GITEA] oauth2: use link_account page when email/username is missing (#1757)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/1757
Co-authored-by: Antonin Delpeuch <antonin@delpeuch.eu>
Co-committed-by: Antonin Delpeuch <antonin@delpeuch.eu>
(cherry picked from commit 0f6e0f90359b4b669d297a533de18b41e3293df2)
(cherry picked from commit 779168a572c521507a35ba624dbd032ec28f272e)
(cherry picked from commit 29a2457321e4587f55b333d0c5698925e403f026)
(cherry picked from commit a1edc2314d2687c9320d884f8a584d8b539eec96)
(cherry picked from commit cd015946109d39c6e30091de2fff47eba01eb937)
(cherry picked from commit 74db46b0f50a5b465269688ef83e170b7584e2be)
(cherry picked from commit fd98f55204f1cec66c3941d85b45dc84f8ab9ecd)
(cherry picked from commit 3099d0e2818d1de763a686b6a23dcf5d55ba75ef)
(cherry picked from commit 9fbbe613649331243b3777955cf2818862583f7e)
(cherry picked from commit 8c0056500697937d27f64bdebd42ba8f05f83288)
(cherry picked from commit 0977a1ed75122a2976ab3f9a98af2d146e2c854c)
2024-02-05 16:09:40 +01:00
Earl Warren
345ceeb98f
[TESTS] coverage for SignInOAuthCallback
(cherry picked from commit f8e1619b993943eafb8ee12bf06f4cdb5862de70)
(cherry picked from commit 46d8bc9bdf68b53767211dc103e6130f55bcdb64)
(cherry picked from commit e0c7b7055f5f4eeca84f1d0b1260b7b9622d3aab)
(cherry picked from commit faab747f8e7eb09262f755445462a77f8a6fb953)
(cherry picked from commit 46acb6a9a79e7ce588b2863aa37bf26805afb2b1)
(cherry picked from commit 22d964e74407c52ffcd3d3a84b0a66e2c186b0fa)
(cherry picked from commit 4c8a6031acf760c2383d9e103c703ee5ececb8e8)
(cherry picked from commit 032e8c7a9a357a13f41410063c2f7fb925dba5ac)
(cherry picked from commit 7a17a3b0fb979e2923019de4b9a7318f578b73b8)
(cherry picked from commit 8ea71c2a31ea7492f5f2e3de529c7fd0b232d3e3)
(cherry picked from commit 4b027e2d37cb91c5951f1d10a018778b19590eb0)
(cherry picked from commit d787089a5de09fa11f8e82a66ec43e4abdde1b2e)
(cherry picked from commit 7b9999357a5d34861b5fd7390cc400f497896246)
(cherry picked from commit 80eb531c380914c66d30a29159b81154e7adefeb)
(cherry picked from commit 373b198bfbc29855c409294ee487639f83516a55)
(cherry picked from commit 15781eedf755713ad4bbc83cf0b82e899e05d075)
(cherry picked from commit 46bdb17a2fb25c23336ef493449ff3ff0eb05409)
(cherry picked from commit 22ec6c11ee779cc06c2e6e6dca3213129033389e)
(cherry picked from commit 3f94b9a11103458d6b4f44dfda8158b748a2e3ad)
(cherry picked from commit a4194c29ffcca46f20d2ccc660f8c95cf527c7a4)
(cherry picked from commit aa80ba2ed1e529a85eda01beeb25c6732d2bc9bf)
(cherry picked from commit d349f3e80ec764f6f402ea6183e41511f73cd33f)
(cherry picked from commit ccb073f71ac855b1d7c7dd1e71a29939a14a20c5)
(cherry picked from commit d8a996a9c1052a7c4b7693cb75f10ee0cbce1534)
(cherry picked from commit af12965737bf60bb74fed2ca5363b034eca15fe4)
(cherry picked from commit 3867b17a485e441198b248be08cbe14bb8bd3946)
(cherry picked from commit 0c48072b2e19f70530d76de459bddd9e7c539c0d)
(cherry picked from commit 9c5d675ded22eb2777df5b4bbd24e4b1341b8b26)
(cherry picked from commit 665119370f4e9103978853c53c6ae9258a415cbc)
(cherry picked from commit 658417e7ad06e8a03ee562f3c8ef8b3c2abd158e)
2024-02-05 14:44:32 +01:00
Denys Konovalov
7d855efb1f
Allow for PKCE flow without client secret + add docs (#25033)
The PKCE flow according to [RFC
7636](https://datatracker.ietf.org/doc/html/rfc7636) allows for secure
authorization without the requirement to provide a client secret for the
OAuth app.

It is implemented in Gitea since #5378 (v1.8.0), however without being
able to omit client secret.
Since #21316 Gitea supports setting client type at OAuth app
registration.

As public clients are already forced to use PKCE since #21316, in this
PR the client secret check is being skipped if a public client is
detected. As Gitea seems to implement PKCE authorization correctly
according to the spec, this would allow for PKCE flow without providing
a client secret.

Also add some docs for it, please check language as I'm not a native
English speaker.

Closes #17107
Closes #25047
2023-06-03 05:59:28 +02:00
flynnnnnnnnnn
e81ccc406b
Implement FSFE REUSE for golang files (#21840)
Change all license headers to comply with REUSE specification.

Fix #16132

Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
2022-11-27 18:20:29 +00:00
M Hickford
191a74d622
Record OAuth client type at registration (#21316)
The OAuth spec [defines two types of
client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1),
confidential and public. Previously Gitea assumed all clients to be
confidential.

> OAuth defines two client types, based on their ability to authenticate
securely with the authorization server (i.e., ability to
>   maintain the confidentiality of their client credentials):
>
>   confidential
> Clients capable of maintaining the confidentiality of their
credentials (e.g., client implemented on a secure server with
> restricted access to the client credentials), or capable of secure
client authentication using other means.
>
>   **public
> Clients incapable of maintaining the confidentiality of their
credentials (e.g., clients executing on the device used by the resource
owner, such as an installed native application or a web browser-based
application), and incapable of secure client authentication via any
other means.**
>
> The client type designation is based on the authorization server's
definition of secure authentication and its acceptable exposure levels
of client credentials. The authorization server SHOULD NOT make
assumptions about the client type.

 https://datatracker.ietf.org/doc/html/rfc8252#section-8.4

> Authorization servers MUST record the client type in the client
registration details in order to identify and process requests
accordingly.

Require PKCE for public clients:
https://datatracker.ietf.org/doc/html/rfc8252#section-8.1

> Authorization servers SHOULD reject authorization requests from native
apps that don't use PKCE by returning an error message

Fixes #21299

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-24 15:59:24 +08:00
M Hickford
afebbf29a9
Require authentication for OAuth token refresh (#21421)
According to the OAuth spec
https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing
an Access Token"

> The authorization server MUST ... require client authentication for
confidential clients


Fixes #21418

Co-authored-by: Gusted <williamzijl7@hotmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-23 13:28:46 +08:00
M Hickford
e84558b093
Improve OAuth integration tests (#21390)
In particular, test explicit error responses.

No change to behaviour.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-10-12 12:22:43 +08:00
Kyle D
c8ded77680
Kd/ci playwright go test (#20123)
* Add initial playwright config

* Simplify Makefile

* Simplify Makefile

* Use correct config files

* Update playwright settings

* Fix package-lock file

* Don't use test logger for e2e tests

* fix frontend lint

* Allow passing TEST_LOGGER variable

* Init postgres database

* use standard gitea env variables

* Update playwright

* update drone

* Move empty env var to commands

* Cleanup

* Move integrations to subfolder

* tests integrations to tests integraton

* Run e2e tests with go test

* Fix linting

* install CI deps

* Add files to ESlint

* Fix drone typo

* Don't log to console in CI

* Use go test http server

* Add build step before tests

* Move shared init function to common package

* fix drone

* Clean up tests

* Fix linting

* Better mocking for page + version string

* Cleanup test generation

* Remove dependency on gitea binary

* Fix linting

* add initial support for running specific tests

* Add ACCEPT_VISUAL variable

* don't require git-lfs

* Add initial documentation

* Review feedback

* Add logged in session test

* Attempt fixing drone race

* Cleanup and bump version

* Bump deps

* Review feedback

* simplify installation

* Fix ci

* Update install docs
2022-09-02 15:18:23 -04:00
Renamed from integrations/oauth_test.go (Browse further)