Closed hickford closed 1 year ago
First step would be to add client type field to type OAuth2Application https://github.com/go-gitea/gitea/blob/main/models/auth/oauth2.go and associated forms
GitLab has a confidential option:
Confidential Enable only for confidential applications exclusively used by a trusted backend server that can securely store the client secret. Do not enable for native-mobile, single-page, or other JavaScript applications because they cannot keep the client secret confidential.
Secondly I think handleAuthorizationCode would have to implement the logic described in https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3:
ensure that the authorization code was issued to the authenticated confidential client, or if the client is public, ensure that the code was issued to "client_id" in the request,
Right now when my native app tries to authenticate, it gets error "unauthorized_client: invalid client secret".
@jonasfranz who originally added OAuth support https://github.com/go-gitea/gitea/pull/5378 , do you have any insight?
The OAuth spec defines two types of client, confidential and public, however Gitea assumes all clients to be confidential.
This is a barrier to native apps using OAuth https://datatracker.ietf.org/doc/html/rfc8252
In particular, Gitea should record the client type https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
and require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1