0
0
mirror of https://github.com/go-gitea/gitea.git synced 2024-12-14 18:23:58 +01:00
gitea/routers/web
Shivaram Lingamneni 2f1cb1d289
fix OIDC introspection authentication (#31632)
See discussion on #31561 for some background.

The introspect endpoint was using the OIDC token itself for
authentication. This fixes it to use basic authentication with the
client ID and secret instead:

* Applications with a valid client ID and secret should be able to
  successfully introspect an invalid token, receiving a 200 response
  with JSON data that indicates the token is invalid
* Requests with an invalid client ID and secret should not be able
  to introspect, even if the token itself is valid

Unlike #31561 (which just future-proofed the current behavior against
future changes to `DISABLE_QUERY_AUTH_TOKEN`), this is a potential
compatibility break (some introspection requests without valid client
IDs that would previously succeed will now fail). Affected deployments
must begin sending a valid HTTP basic authentication header with their
introspection requests, with the username set to a valid client ID and
the password set to the corresponding client secret.
2024-07-23 12:43:03 +00:00
..
admin
auth fix OIDC introspection authentication (#31632) 2024-07-23 12:43:03 +00:00
devtest
events
explore
feed
healthcheck
misc
org
repo
shared
user
base.go
githttp.go
goget.go
home.go
metrics.go
nodeinfo.go
passkey.go
swagger_json.go
web.go
webfinger.go