With Gitea as an OAuth provider, Gitea sends an incorrect user account back to its OAuth client

[vw98075]

• Gitea version (or commit ref): 1.15.0+dev-g49ad088b8
• Git version: 2.30.1
• Operating system: Macbook Pro
• Database (use [x]):
  • [x] PostgreSQL
  • [ ] MySQL
  • [ ] MSSQL
  • [ ] SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • [ ] Yes (provide example URL)
  • [ ] No
• Log gist:

Description

Create an application for OAuth on Gitea, log in on its OAuth client app will be redirected to log in on Gttea. At this stage, log in on Gitea with the user account which creates the app will result in the same user log in on its client. In other words, the same user log in to both Gitea and its OAuth client. Log in on Gitea with other user accounts will result in the user account which creates the app on its client app. In other words, different user log in on Gitea and its OAuth client. For some reason, Gitea always returns the user account which creates the app as its OAuth client to its OAuth client for user login based on our current test.

...

Screenshots

The followings are logs for two use cases. Gitea is on the port 3000 while OAuth client is on the port 9000.

1) A user signs in on the OAuth client while a user session is available on Gitea

        ◦ Request URL: http://localhost:3000/login/oauth/authorize?response_type=code&client_id=564a1ee4-7b37-4eb3-a2b7-aa53a5a18811&scope=openid%20profile%20email&state=x78w0_qNnCHsoZOdrCLSQog5Dn9rlYgGFkXk1FIPsWE%3D&redirect_uri=http://localhost:9000/login/oauth2/code/oidc&nonce=9J3GH9fXj_rsCnsYiZIUXnf2hsOwxE4UdUsvcEYdBK0
        ◦ Request Method: GET
        ◦ Status Code: 302 Found
        ◦ Remote Address: [::1]:3000
        ◦ Referrer Policy: strict-origin-when-cross-origin
    • Response HeadersView source
        ◦ Content-Length: 174
        ◦ Content-Type: text/html; charset=utf-8
        ◦ Date: Wed, 21 Jul 2021 14:32:15 GMT
        ◦ Location: http://localhost:9000/login/oauth2/code/oidc?code=dwkOjutqosAts4Ec4sPkdP3X0Szv6iSKftXQZRkST6hJ&state=x78w0_qNnCHsoZOdrCLSQog5Dn9rlYgGFkXk1FIPsWE%3D
        ◦ Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax
        ◦ X-Frame-Options: SAMEORIGIN
    • Request HeadersView source
        ◦ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
        ◦ Accept-Encoding: gzip, deflate, br
        ◦ Accept-Language: de,en-US;q=0.9,en;q=0.8
        ◦ Connection: keep-alive
        ◦ Cookie: i_like_gitea=a0ff90920347641c; lang=en-US; _csrf=mabg6ZNunZvLKMPZZyRM00cXiGg6MTYyNjgxODU4ODE2NTE5NjAwMA; XSRF-TOKEN=0f8f7dbc-7231-4bfd-a63c-b615b787ce67; io=S7MZQeiWxrURbWy3AABv; JSESSIONID=BeCPs2QziP04x7e5My6nfgy668q-U37gxioSo262
        ◦ Host: localhost:3000
        ◦ Referer: http://localhost:9000/
        ◦ sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"
        ◦ sec-ch-ua-mobile: ?1
        ◦ Sec-Fetch-Dest: document
        ◦ Sec-Fetch-Mode: navigate
        ◦ Sec-Fetch-Site: same-site
        ◦ Sec-Fetch-User: ?1
        ◦ Upgrade-Insecure-Requests: 1
        ◦ User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Mobile Safari/537.36
    • Query String Parametersview source
view URL-encoded
        ◦ response_type: code
        ◦ client_id: 564a1ee4-7b37-4eb3-a2b7-aa53a5a18811
        ◦ scope: openid profile email
        ◦ state: x78w0_qNnCHsoZOdrCLSQog5Dn9rlYgGFkXk1FIPsWE=
        ◦ redirect_uri: http://localhost:9000/login/oauth2/code/oidc
        ◦ 
nonce: 9J3GH9fXj_rsCnsYiZIUXnf2hsOwxE4UdUsvcEYdBK0

2. A user signs in on OAuth client app while the user session isn't available on Gitea.

       ◦ Request URL: http://localhost:3000/login/oauth/authorize?response_type=code&client_id=564a1ee4-7b37-4eb3-a2b7-aa53a5a18811&scope=openid%20profile%20email&state=v0H2VE_6063inEhPoR6SCEin7xplaSf8QN4MD8hq3KA%3D&redirect_uri=http://localhost:9000/login/oauth2/code/oidc&nonce=A6M0phhMzfU-WDTQXlRscMMaaOq8s4KqolAez11U09E
       ◦ Request Method: GET
       ◦ Status Code: 302 Found
       ◦ Remote Address: [::1]:3000
       ◦ Referrer Policy: no-referrer
   • Response HeadersView source
       ◦ Content-Length: 174
       ◦ Content-Type: text/html; charset=utf-8
       ◦ Date: Wed, 21 Jul 2021 15:13:52 GMT
       ◦ Location: http://localhost:9000/login/oauth2/code/oidc?code=VrtpJ103AYGYJMxNhwhLkG5P1sLIkD3q6kFKSPiFMosY&state=v0H2VE_6063inEhPoR6SCEin7xplaSf8QN4MD8hq3KA%3D
       ◦ Set-Cookie: _csrf=2HarUlUagFauOg88-09HRxGYGw86MTYyNjg4MDQzMjI5MTgxMzAwMA; Path=/; Expires=Thu, 22 Jul 2021 15:13:52 GMT; HttpOnly; SameSite=Lax
       ◦ Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax
       ◦ X-Frame-Options: SAMEORIGIN
   • Request HeadersView source
       ◦ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
       ◦ Accept-Encoding: gzip, deflate, br
       ◦ Accept-Language: en-US,en;q=0.9
       ◦ Cache-Control: max-age=0
       ◦ Connection: keep-alive
       ◦ Cookie: XSRF-TOKEN=6cfefe77-7912-40c1-9484-dcf61dad3271; io=_d8OSzN-PIQVJcl8AAB3; JSESSIONID=1leZuJFlAjLSinj02dBRx5vnFExPHgznDc5Imrkf; i_like_gitea=eed5ada632ae0f03; lang=en-US
       ◦ Host: localhost:3000
       ◦ sec-ch-ua: " Not;A Brand";v="99", "Microsoft Edge";v="91", "Chromium";v="91"
       ◦ sec-ch-ua-mobile: ?0
       ◦ Sec-Fetch-Dest: document
       ◦ Sec-Fetch-Mode: navigate
       ◦ Sec-Fetch-Site: same-origin
       ◦ Sec-Fetch-User: ?1
       ◦ Upgrade-Insecure-Requests: 1
       ◦ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.70
   • Query String Parametersview source
view URL-encoded
       ◦ response_type: code
       ◦ client_id: 564a1ee4-7b37-4eb3-a2b7-aa53a5a18811
       ◦ scope: openid profile email
       ◦ state: v0H2VE_6063inEhPoR6SCEin7xplaSf8QN4MD8hq3KA=
       ◦ redirect_uri: http://localhost:9000/login/oauth2/code/oidc
       ◦ nonce: A6M0phhMzfU-WDTQXlRscMMaaOq8s4KqolAez11U09E
       ◦ 
   
       ◦ Request URL: http://localhost:9000/login/oauth2/code/oidc?code=VrtpJ103AYGYJMxNhwhLkG5P1sLIkD3q6kFKSPiFMosY&state=v0H2VE_6063inEhPoR6SCEin7xplaSf8QN4MD8hq3KA%3D
       ◦ Request Method: GET
       ◦ Status Code: 302 Found
       ◦ Remote Address: [::1]:9000
       ◦ Referrer Policy: no-referrer
   • Response HeadersView source
       ◦ cache-control: no-cache, no-store, max-age=0, must-revalidate
       ◦ connection: close
       ◦ content-length: 0
       ◦ content-security-policy: default-src 'self'; frame-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://storage.googleapis.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com data:
       ◦ date: Wed, 21 Jul 2021 15:13:52 GMT
       ◦ expires: 0
       ◦ feature-policy: geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; fullscreen 'self'; payment 'none'
       ◦ location: http://localhost:9000/
       ◦ pragma: no-cache
       ◦ referrer-policy: strict-origin-when-cross-origin
       ◦ set-cookie: JSESSIONID=--5zv-XZznshlU7hKmDiB_0C4Zvee_TpXJSbRFYa; path=/; HttpOnly
       ◦ set-cookie: XSRF-TOKEN=2bababa9-ad27-4706-97ed-2ed20122a842; path=/
       ◦ vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
       ◦ x-content-type-options: nosniff
       ◦ x-frame-options: DENY
       ◦ x-powered-by: Express
       ◦ x-xss-protection: 1; mode=block
   • Request HeadersView source
       ◦ Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
       ◦ Accept-Encoding: gzip, deflate, br
       ◦ Accept-Language: en-US,en;q=0.9
       ◦ Cache-Control: max-age=0
       ◦ Connection: keep-alive
       ◦ Cookie: XSRF-TOKEN=6cfefe77-7912-40c1-9484-dcf61dad3271; io=_d8OSzN-PIQVJcl8AAB3; JSESSIONID=1leZuJFlAjLSinj02dBRx5vnFExPHgznDc5Imrkf; i_like_gitea=eed5ada632ae0f03; lang=en-US; _csrf=2HarUlUagFauOg88-09HRxGYGw86MTYyNjg4MDQzMjI5MTgxMzAwMA
       ◦ Host: localhost:9000
       ◦ sec-ch-ua: " Not;A Brand";v="99", "Microsoft Edge";v="91", "Chromium";v="91"
       ◦ sec-ch-ua-mobile: ?0
       ◦ Sec-Fetch-Dest: document
       ◦ Sec-Fetch-Mode: navigate
       ◦ Sec-Fetch-Site: same-site
       ◦ Sec-Fetch-User: ?1
       ◦ Upgrade-Insecure-Requests: 1
       ◦ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.70
   • Query String Parametersview source
view URL-encoded
       ◦ code: VrtpJ103AYGYJMxNhwhLkG5P1sLIkD3q6kFKSPiFMosY
       ◦ state: v0H2VE_6063inEhPoR6SCEin7xplaSf8QN4MD8hq3KA=

[6543]

please test against v1.15.0-rc2

[zeripath]

$ echo "49ad088b8" | git cat-file --batch
49ad088b8 missing

49ad088b8 does not refer to a commit, tag, or tree in Gitea's repository.

[vw98075]

I just did

git fetch upstream

Its version is 1.15.0+dev-591-g49ad088b8. The bug still exists. I don't know whether I get the latest version or not. The upstream is https://github.com/go-gitea/gitea.git.

[zeripath]

At the time of me writing this comment the current HEAD of main is 370516883. The current head of release/v1.15 is 840d240a6 and is 614 commits after v1.15.0-dev. The current pre-release of v1.15 is v1.15.0-rc2 (0b06b2019) and is 607 commits after v1.15.0-dev.

You'll see that github has highlighted & changed those SHAs into links into our commit tree. 49ad088b8 is not a commit in Gitea and you'll see that because Github has not changed the SHA into a link.

You have some private changes and you are not testing on v1.15.0-rc2 or the latest head of v1.15.0.

You need to explain what those changes are and/or you need to update.

[vw98075]

Thanks for your quick reply. I guess that either my git upstream isn't pointed to the right place or the fix isn't in the release/main branch yet. I don't know where to check the head. The version I provided is what I see on the bottom of the home page.

[zeripath]

Rebuild a clean version of Gitea.

I suggest you perform a clean checkout: git checkout v1.15.0-RC2 or git checkout release/v1.15 or git checkout main

Ensure that the checkout is clean - removing any old and weird files that you have - git status would help with that.

49ad088b8 is not a commit in Gitea - if you have changes that you wish to keep you will need to show that those changes are not the cause of your problems and explain why the SHA has changed (at the least with a git diff 49ad088b8 origin/release/v1.15 (v1.15.0-RC2 or main)) - but realistically we cannot support private patches on this forum.

[techknowlogick]

realistically we cannot support private patches on this forum.

If you'd like to commission a maintainer to review your code changes and support your issue please reach out (there are several maintainers who can offer paid support), otherwise, as @zeripath mentioned, we cannot support private patches.

I will close this issue now.

[vw98075]

I try to trust the git code control practice. I learn that this is a proper way to merge my local changes with the upstream. The only change in my local codebase is the front page. That is not any business local changes in my local code. Assuming the upstream is correct in this regard, that would be a problem in git then.

[vw98075]

I get the rc3 branch without any changes, that is not merging it with my local customization code today. And I get the same error.

.