1
0
mirror of https://github.com/go-gitea/gitea.git synced 2024-09-01 14:56:30 +00:00
gitea/routers/web
Shivaram Lingamneni 2f1cb1d289
fix OIDC introspection authentication ()
See discussion on  for some background.

The introspect endpoint was using the OIDC token itself for
authentication. This fixes it to use basic authentication with the
client ID and secret instead:

* Applications with a valid client ID and secret should be able to
  successfully introspect an invalid token, receiving a 200 response
  with JSON data that indicates the token is invalid
* Requests with an invalid client ID and secret should not be able
  to introspect, even if the token itself is valid

Unlike  (which just future-proofed the current behavior against
future changes to `DISABLE_QUERY_AUTH_TOKEN`), this is a potential
compatibility break (some introspection requests without valid client
IDs that would previously succeed will now fail). Affected deployments
must begin sending a valid HTTP basic authentication header with their
introspection requests, with the username set to a valid client ID and
the password set to the corresponding client secret.
2024-07-23 12:43:03 +00:00
..
admin Refactor names () 2024-06-19 06:32:45 +08:00
auth fix OIDC introspection authentication () 2024-07-23 12:43:03 +00:00
devtest Refactor names () 2024-06-19 06:32:45 +08:00
events Move context from modules to services () 2024-02-27 08:12:22 +01:00
explore Refactor names () 2024-06-19 06:32:45 +08:00
feed Refactor names () 2024-06-19 06:32:45 +08:00
healthcheck Always enable caches () 2023-12-19 09:29:05 +00:00
misc Make sure git version&feature are always prepared () 2024-05-06 18:34:16 +02:00
org Refactor names () 2024-06-19 06:32:45 +08:00
repo Refactor webhook () 2024-07-10 11:37:16 +00:00
shared Refactor names () 2024-06-19 06:32:45 +08:00
user add skip secondary authorization option for public oauth2 clients () 2024-07-19 14:28:30 -04:00
base.go Azure blob storage support () 2024-05-30 07:33:50 +00:00
githttp.go Refactor names () 2024-06-19 06:32:45 +08:00
goget.go Move context from modules to services () 2024-02-27 08:12:22 +01:00
home.go migrate some more "OptionalBool" to "Option[bool]" () 2024-02-29 18:52:49 +00:00
metrics.go
nodeinfo.go Move context from modules to services () 2024-02-27 08:12:22 +01:00
passkey.go Move context from modules to services () 2024-02-27 08:12:22 +01:00
swagger_json.go Move context from modules to services () 2024-02-27 08:12:22 +01:00
web.go Add Passkey login support () 2024-06-29 22:50:03 +00:00
webfinger.go Move context from modules to services () 2024-02-27 08:12:22 +01:00