0
0
mirror of https://github.com/go-gitea/gitea.git synced 2025-01-02 09:59:10 +01:00
gitea/modules/base
Shivaram Lingamneni 2f1cb1d289
fix OIDC introspection authentication ()
See discussion on  for some background.

The introspect endpoint was using the OIDC token itself for
authentication. This fixes it to use basic authentication with the
client ID and secret instead:

* Applications with a valid client ID and secret should be able to
  successfully introspect an invalid token, receiving a 200 response
  with JSON data that indicates the token is invalid
* Requests with an invalid client ID and secret should not be able
  to introspect, even if the token itself is valid

Unlike  (which just future-proofed the current behavior against
future changes to `DISABLE_QUERY_AUTH_TOKEN`), this is a potential
compatibility break (some introspection requests without valid client
IDs that would previously succeed will now fail). Affected deployments
must begin sending a valid HTTP basic authentication header with their
introspection requests, with the username set to a valid client ID and
the password set to the corresponding client secret.
2024-07-23 12:43:03 +00:00
..
base.go Implement FSFE REUSE for golang files () 2022-11-27 18:20:29 +00:00
natural_sort_test.go Fix natural sort () 2024-06-17 06:45:12 +00:00
natural_sort.go Fix natural sort () 2024-06-17 06:45:12 +00:00
tool_test.go fix OIDC introspection authentication () 2024-07-23 12:43:03 +00:00
tool.go fix OIDC introspection authentication () 2024-07-23 12:43:03 +00:00