[Feature] Authentication Sources - OAuth2 - Add JWT and PKCE Support

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD

https://gitea.com

MIT License

44.48k stars 5.44k forks source link

[Feature] Authentication Sources - OAuth2 - Add JWT and PKCE Support #16983

Open bythewood opened 3 years ago

bythewood commented 3 years ago

Currently authentication sources for OAuth2 only support shared secrets (implicit flow), which is not recommended for security reasons. Recommend implementation of Private Key JWT and/or PKCE for OAuth2 authentication sources.

zeripath commented 3 years ago

This already exists.

bythewood commented 3 years ago

Does it? As far as I can see the latest release only supports client/server secrets for OAuth, which is implicit flow. You're probably thinking of OAuth providers (not sources), which Gitea does support Private Key JWT and PKCE for that.

techknowlogick commented 3 years ago

I've re-opened this, but it may require some changes in https://github.com/markbates/goth upstream before we can support it.

NexZhu commented 4 months ago

@techknowlogick Is this supported now?