OAuth PKCE authentication requires divulging client secret

[adroitwhiz]

While Gitea supports PKCE as an OAuth provider, it doesn't allow clients to authenticate without providing a client secret. Clients which cannot safely store a client secret, e.g. serverless single-page apps and mobile apps, thus cannot authenticate. In particular, Netlify's authentication flow is done entirely client-side, and its OAuth PKCE authentication flow thus will not work with Gitea currently.

My current proposal for fixing this is to add a configuration option for OAuth applications which determines whether their clients are public or confidential. Public clients will be required to use PKCE but are not required to provide a client secret, whereas confidential clients will be required to provide a client secret but are not required to use PKCE.

[dalruby]

Hello,

We are experiencing the same issue. We would like to use the Gitea OAuth2 provider to secure our single-page application, but sending the client secret from a SPA is not secure.

Would it be possible to implement the PKCE flow without requiring the client secret?

[jimafisk]

We're having the same issue, we'd like to provide Gitea as a backend for our git-cms in Plenti, but we can't protect secrets clientside.

I noticed that there is a "Confidential Client" checkbox when creating an OAuth2 Application for an Organization, but I still haven't been able to successfully omit the client_secret: https://discourse.gitea.io/t/oauth-pkce-example/6573