fix OIDC introspection authentication (#31632)

nune/gitea

See discussion on #31561 for some background.

The introspect endpoint was using the OIDC token itself for
authentication. This fixes it to use basic authentication with the
client ID and secret instead:

* Applications with a valid client ID and secret should be able to
  successfully introspect an invalid token, receiving a 200 response
  with JSON data that indicates the token is invalid
* Requests with an invalid client ID and secret should not be able
  to introspect, even if the token itself is valid

Unlike #31561 (which just future-proofed the current behavior against
future changes to `DISABLE_QUERY_AUTH_TOKEN`), this is a potential
compatibility break (some introspection requests without valid client
IDs that would previously succeed will now fail). Affected deployments
must begin sending a valid HTTP basic authentication header with their
introspection requests, with the username set to a valid client ID and
the password set to the corresponding client secret.

This commit is contained in:

Shivaram Lingamneni

2024-07-23 14:43:03 +02:00

• committed by

GitHub

parent 24f9390f34

commit 2f1cb1d289

No known key found for this signature in database

GPG key ID: B5690EEEBB952194

4 changed files with 90 additions and 24 deletions

									
										3

modules/base/tool_test.go
									
										View file
										
				@ -41,6 +41,9 @@ func TestBasicAuthDecode(t *testing.T) {

					_, _, err = BasicAuthDecode("invalid")

					assert.Error(t, err)

					_, _, err = BasicAuthDecode("YWxpY2U=") // "alice", no colon

					assert.Error(t, err)

				}

				func TestVerifyTimeLimitCode(t *testing.T) {

Rows
Columns

fix OIDC introspection authentication (#31632)

3 modules/base/tool_test.go Unescape Escape View file

3

modules/base/tool_test.go

View file