forgejo-federation/modules
M Hickford 191a74d622
Record OAuth client type at registration (#21316)
The OAuth spec [defines two types of
client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1),
confidential and public. Previously Gitea assumed all clients to be
confidential.

> OAuth defines two client types, based on their ability to authenticate
securely with the authorization server (i.e., ability to
>   maintain the confidentiality of their client credentials):
>
>   confidential
> Clients capable of maintaining the confidentiality of their
credentials (e.g., client implemented on a secure server with
> restricted access to the client credentials), or capable of secure
client authentication using other means.
>
>   **public
> Clients incapable of maintaining the confidentiality of their
credentials (e.g., clients executing on the device used by the resource
owner, such as an installed native application or a web browser-based
application), and incapable of secure client authentication via any
other means.**
>
> The client type designation is based on the authorization server's
definition of secure authentication and its acceptable exposure levels
of client credentials. The authorization server SHOULD NOT make
assumptions about the client type.

 https://datatracker.ietf.org/doc/html/rfc8252#section-8.4

> Authorization servers MUST record the client type in the client
registration details in order to identify and process requests
accordingly.

Require PKCE for public clients:
https://datatracker.ietf.org/doc/html/rfc8252#section-8.1

> Authorization servers SHOULD reject authorization requests from native
apps that don't use PKCE by returning an error message

Fixes #21299

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-10-24 15:59:24 +08:00
..
activitypub Refactor AssertExistsAndLoadBean to use generics (#20797) 2022-08-16 10:22:25 +08:00
analyze Simplify IsVendor (#19626) 2022-05-06 10:12:30 +01:00
auth Remove legacy +build: constraint (#19582) 2022-05-02 23:22:45 +08:00
avatar Go 1.19 format (#20758) 2022-08-30 21:15:45 -05:00
base Add generic set type (#21408) 2022-10-12 13:18:26 +08:00
cache Update go-chi/cache to utilize Ping() (#19719) 2022-05-15 20:43:27 +02:00
charset Move go-licenses to generate and separate generate into a frontend and backend component (#21061) 2022-09-05 14:04:18 +08:00
container Add generic set type (#21408) 2022-10-12 13:18:26 +08:00
context Redirect to new repository owner (#21398) 2022-10-11 19:54:44 +08:00
convert Record OAuth client type at registration (#21316) 2022-10-24 15:59:24 +08:00
csv Go 1.19 format (#20758) 2022-08-30 21:15:45 -05:00
doctor Refactor git command arguments and make all arguments to be safe to be used (#21535) 2022-10-23 22:44:45 +08:00
emoji Go 1.19 format (#20758) 2022-08-30 21:15:45 -05:00
eventsource Move some files into models' sub packages (#20262) 2022-08-25 10:31:57 +08:00
generate Use base32 for 2FA scratch token (#18384) 2022-01-26 12:10:10 +08:00
git Refactor git command arguments and make all arguments to be safe to be used (#21535) 2022-10-23 22:44:45 +08:00
gitgraph Refactor git command arguments and make all arguments to be safe to be used (#21535) 2022-10-23 22:44:45 +08:00
graceful Support Proxy protocol (#12527) 2022-08-21 19:20:43 +01:00
hcaptcha hCaptcha Support (#12594) 2020-10-02 23:37:53 -04:00
highlight Upgrade chroma to v2.3.0 (#21259) 2022-09-26 13:50:03 +08:00
hostmatcher Add proxy host into allow list (#20798) 2022-08-16 20:15:54 -04:00
httpcache Add Cache-Control header to html and api responses, add no-transform (#20432) 2022-07-23 14:38:03 +08:00
httplib refactor httplib (#18338) 2022-01-19 19:31:39 -05:00
indexer Refactor git command arguments and make all arguments to be safe to be used (#21535) 2022-10-23 22:44:45 +08:00
issue/template Add generic set type (#21408) 2022-10-12 13:18:26 +08:00
json Refactor legacy unknwon/com package, improve golangci lint (#19284) 2022-04-01 16:47:50 +08:00
lfs Removed some vestigial code related to Range bounds checks (#20312) 2022-07-28 11:04:36 +08:00
log test: use T.TempDir to create temporary test directory (#21043) 2022-09-04 16:14:53 +01:00
markup Add link to user profile in markdown mention only if user exists (#21533) 2022-10-23 01:15:52 +08:00
mcaptcha Add support mCaptcha as captcha provider (#20458) 2022-08-10 15:20:10 +02:00
metrics Move some files into models' sub packages (#20262) 2022-08-25 10:31:57 +08:00
migration Add more checks in migration code (#21011) 2022-09-04 13:47:56 +03:00
mirror Implement sync push mirror on commit (#19411) 2022-07-08 20:45:12 +01:00
nosql fix broken insecureskipverify handling in rediss connection uris (#20967) 2022-08-29 16:38:49 +02:00
notification Decouple HookTask from Repository (#17940) 2022-10-21 18:21:56 +02:00
options Fix and improve incorrect error messages (#21342) 2022-10-06 07:00:54 +01:00
packages Add support for Chocolatey/NuGet v2 API (#21393) 2022-10-13 18:19:39 +08:00
paginator Remove unnecessary misspell ignore pattern (#21475) 2022-10-18 12:52:25 -04:00
password Fixed assert statements. (#16089) 2021-06-07 07:27:09 +02:00
pprof Go 1.19 format (#20758) 2022-08-30 21:15:45 -05:00
private log real ip of requests from ssh (#21216) 2022-10-11 16:57:37 +08:00
process Add more linters to improve code readability (#19989) 2022-06-20 12:02:49 +02:00
proxy Return nil proxy function if proxy not enabled (#16742) 2021-08-19 16:41:20 -04:00
proxyprotocol Support Proxy protocol (#12527) 2022-08-21 19:20:43 +01:00
public Add generic set type (#21408) 2022-10-12 13:18:26 +08:00
queue Add generic set type (#21408) 2022-10-12 13:18:26 +08:00
recaptcha refactor: move from io/ioutil to io and os package (#17109) 2021-09-22 13:38:34 +08:00
references Remove unnecessary misspell ignore pattern (#21475) 2022-10-18 12:52:25 -04:00
regexplru Custom regexp external issues (#17624) 2022-06-10 13:39:53 +08:00
repository Refactor git command arguments and make all arguments to be safe to be used (#21535) 2022-10-23 22:44:45 +08:00
secret Use CryptoRandomBytes instead of CryptoRandomString (#18439) 2022-02-04 18:03:15 +01:00
session format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
setting Add system setting table with cache and also add cache supports for user setting (#18058) 2022-10-17 07:29:26 +08:00
sitemap Add sitemap support (#18407) 2022-06-25 19:06:01 +02:00
ssh Support Proxy protocol (#12527) 2022-08-21 19:20:43 +01:00
storage Save files in local storage as umask (#21198) 2022-09-24 21:04:14 +08:00
structs Record OAuth client type at registration (#21316) 2022-10-24 15:59:24 +08:00
svg Remove legacy +build: constraint (#19582) 2022-05-02 23:22:45 +08:00
sync Add generic set type (#21408) 2022-10-12 13:18:26 +08:00
system Add system setting table with cache and also add cache supports for user setting (#18058) 2022-10-17 07:29:26 +08:00
templates Fix generating compare link (#21519) 2022-10-21 16:39:26 +08:00
test Refactor AssertExistsAndLoadBean to use generics (#20797) 2022-08-16 10:22:25 +08:00
timeutil Share HTML template renderers and create a watcher framework (#20218) 2022-08-28 10:43:25 +01:00
translation Make every not exist error unwrappable to a fs.ErrNotExist (#20891) 2022-10-18 07:50:37 +02:00
typesniffer Rework raw file http header logic (#20484) 2022-07-29 17:26:55 +02:00
updatechecker Add system setting table with cache and also add cache supports for user setting (#18058) 2022-10-17 07:29:26 +08:00
upload Simplify parameter types (#18006) 2021-12-20 04:41:31 +00:00
uri Prevent NPE if gitea uploader fails to open url (#18080) 2021-12-23 16:27:33 +00:00
user Add gitea-vet (#10948) 2020-04-05 07:20:50 +01:00
util Make every not exist error unwrappable to a fs.ErrNotExist (#20891) 2022-10-18 07:50:37 +02:00
validation Add more checks in migration code (#21011) 2022-09-04 13:47:56 +03:00
watcher Share HTML template renderers and create a watcher framework (#20218) 2022-08-28 10:43:25 +01:00
web refactor webhook *NewPost (#20729) 2022-08-11 17:48:23 +02:00