From 2c42a4471f12f4944a2dff2eb521a19308ba1cf9 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Mon, 8 Jun 2026 15:32:31 -0700 Subject: [PATCH 1/2] fix(oauth): restrict introspection to the token's client --- routers/web/auth/oauth2_provider.go | 15 +++--- tests/integration/oauth_test.go | 75 +++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+), 7 deletions(-) diff --git a/routers/web/auth/oauth2_provider.go b/routers/web/auth/oauth2_provider.go index 0ed20329b4..f4ba98504f 100644 --- a/routers/web/auth/oauth2_provider.go +++ b/routers/web/auth/oauth2_provider.go @@ -128,6 +128,7 @@ func InfoOAuth(ctx *context.Context) { // IntrospectOAuth introspects an oauth token func IntrospectOAuth(ctx *context.Context) { + var introspectingApp *auth.OAuth2Application clientIDValid := false authHeader := ctx.Req.Header.Get("Authorization") if parsed, ok := httpauth.ParseAuthorizationHeader(authHeader); ok && parsed.BasicAuth != nil { @@ -140,6 +141,9 @@ func IntrospectOAuth(ctx *context.Context) { return } clientIDValid = err == nil && app.ValidateClientSecret([]byte(clientSecret)) + if clientIDValid { + introspectingApp = app + } } if !clientIDValid { ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm="Gitea OAuth2"`) @@ -158,13 +162,10 @@ func IntrospectOAuth(ctx *context.Context) { token, err := oauth2_provider.ParseToken(form.Token, oauth2_provider.DefaultSigningKey) if err == nil { grant, err := auth.GetOAuth2GrantByID(ctx, token.GrantID) - if err == nil && grant != nil { - app, err := auth.GetOAuth2ApplicationByID(ctx, grant.ApplicationID) - if err == nil && app != nil { - response.Active = true - response.Scope = grant.Scope - response.RegisteredClaims = oauth2_provider.NewJwtRegisteredClaimsFromUser(app.ClientID, grant.UserID, nil /*exp*/) - } + if err == nil && grant != nil && grant.ApplicationID == introspectingApp.ID { + response.Active = true + response.Scope = grant.Scope + response.RegisteredClaims = oauth2_provider.NewJwtRegisteredClaimsFromUser(introspectingApp.ClientID, grant.UserID, nil /*exp*/) if user, err := user_model.GetUserByID(ctx, grant.UserID); err == nil { response.Username = user.Name } diff --git a/tests/integration/oauth_test.go b/tests/integration/oauth_test.go index ee9eb838a3..1c350bb17f 100644 --- a/tests/integration/oauth_test.go +++ b/tests/integration/oauth_test.go @@ -122,6 +122,7 @@ func TestOAuth2(t *testing.T) { t.Run("RefreshTokenInvalidation", testRefreshTokenInvalidation) t.Run("RefreshTokenCrossClientUsage", testRefreshTokenCrossClientUsage) t.Run("OAuthIntrospection", testOAuthIntrospection) + t.Run("OAuthIntrospectionCrossClientIsolation", testOAuthIntrospectionCrossClientIsolation) t.Run("OAuthGrantScopesReadUserFailRepos", testOAuthGrantScopesReadUserFailRepos) t.Run("OAuthGrantScopesBasicRespectsWriteUser", testOAuthGrantScopesBasicRespectsWriteUser) t.Run("OAuthGrantScopesReadRepositoryFailOrganization", testOAuthGrantScopesReadRepositoryFailOrganization) @@ -705,6 +706,80 @@ func testOAuthIntrospection(t *testing.T) { assert.Contains(t, resp.Body.String(), "no valid authorization") } +func testOAuthIntrospectionCrossClientIsolation(t *testing.T) { + resourceOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) + clientA := createOAuthTestApplication(t, "user1", "introspection-primary-client", []string{"https://primary.example/oauth/callback"}) + clientB := createOAuthTestApplication(t, "user2", "introspection-secondary-client", []string{"https://secondary.example/oauth/callback"}) + code, verifier := issueOAuthAuthorizationCode(t, resourceOwner, clientA, clientA.RedirectURIs[0], "openid profile") + + req := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{ + "grant_type": "authorization_code", + "client_id": clientA.ClientID, + "client_secret": clientA.ClientSecret, + "redirect_uri": clientA.RedirectURIs[0], + "code": code, + "code_verifier": verifier, + }) + resp := MakeRequest(t, req, http.StatusOK) + type tokenResponse struct { + AccessToken string `json:"access_token"` + RefreshToken string `json:"refresh_token"` + } + tokenParsed := new(tokenResponse) + require.NoError(t, json.Unmarshal(resp.Body.Bytes(), tokenParsed)) + require.NotEmpty(t, tokenParsed.AccessToken) + require.NotEmpty(t, tokenParsed.RefreshToken) + + type introspectResponse struct { + Active bool `json:"active"` + Scope string `json:"scope,omitempty"` + Username string `json:"username,omitempty"` + Subject string `json:"sub,omitempty"` + Audience []string `json:"aud,omitempty"` + } + + assertBlockedIntrospection := func(token string) { + t.Helper() + + req = NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{ + "token": token, + }) + req.SetBasicAuth(clientB.ClientID, clientB.ClientSecret) + resp = MakeRequest(t, req, http.StatusOK) + + blocked := new(introspectResponse) + require.NoError(t, json.Unmarshal(resp.Body.Bytes(), blocked)) + assert.False(t, blocked.Active) + assert.Empty(t, blocked.Scope) + assert.Empty(t, blocked.Username) + assert.Empty(t, blocked.Subject) + assert.Empty(t, blocked.Audience) + } + + assertAllowedIntrospection := func(token string) { + t.Helper() + + req = NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{ + "token": token, + }) + req.SetBasicAuth(clientA.ClientID, clientA.ClientSecret) + resp = MakeRequest(t, req, http.StatusOK) + + allowed := new(introspectResponse) + require.NoError(t, json.Unmarshal(resp.Body.Bytes(), allowed)) + assert.True(t, allowed.Active) + assert.Equal(t, "openid profile", allowed.Scope) + assert.Equal(t, resourceOwner.Name, allowed.Username) + assert.Equal(t, fmt.Sprint(resourceOwner.ID), allowed.Subject) + assert.Equal(t, []string{clientA.ClientID}, allowed.Audience) + } + + assertBlockedIntrospection(tokenParsed.AccessToken) + assertAllowedIntrospection(tokenParsed.AccessToken) + assertBlockedIntrospection(tokenParsed.RefreshToken) + assertAllowedIntrospection(tokenParsed.RefreshToken) +} + func testOAuthGrantScopesReadUserFailRepos(t *testing.T) { user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) accessToken := issueOAuthAccessTokenForScope(t, user, "openid read:user") From 09b3ae8a97132c99647b7da09688d257e229419b Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Mon, 8 Jun 2026 16:23:00 -0700 Subject: [PATCH 2/2] Fix lint --- tests/integration/oauth_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/integration/oauth_test.go b/tests/integration/oauth_test.go index 1c350bb17f..a14151b069 100644 --- a/tests/integration/oauth_test.go +++ b/tests/integration/oauth_test.go @@ -14,6 +14,7 @@ import ( "net/http" "net/http/httptest" "net/url" + "strconv" "strings" "testing" @@ -770,7 +771,7 @@ func testOAuthIntrospectionCrossClientIsolation(t *testing.T) { assert.True(t, allowed.Active) assert.Equal(t, "openid profile", allowed.Scope) assert.Equal(t, resourceOwner.Name, allowed.Username) - assert.Equal(t, fmt.Sprint(resourceOwner.ID), allowed.Subject) + assert.Equal(t, strconv.FormatInt(resourceOwner.ID, 10), allowed.Subject) assert.Equal(t, []string{clientA.ClientID}, allowed.Audience) }