Skip to content

OAuth refresh handler should require client authentication #21418

New issue
New issue
Closed
#21421
Closed
OAuth refresh handler should require client authentication#21418
#21421
Labels
type/bug
@hickford

Description

@hickford
hickford
opened on Oct 12, 2022

The OAuth authorization_code handler authenticates the client by validating the client secret

gitea/routers/web/auth/oauth.go

Lines 703 to 713 in 9862936

if !app.ValidateClientSecret([]byte(form.ClientSecret)) {
errorDescription := "invalid client secret"
if form.ClientSecret == "" {
errorDescription = "invalid empty client secret"
}
handleAccessTokenError(ctx, AccessTokenError{
ErrorCode: AccessTokenErrorCodeUnauthorizedClient,
ErrorDescription: errorDescription,
})
return
}

According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 , this should also happen when "Refreshing an Access Token"

The authorization server MUST ... require client authentication for confidential clients

but handleRefreshToken doesn't do this

gitea/routers/web/auth/oauth.go

Line 658 in 9862936

func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2.JWTSigningKey) {

Metadata

Metadata

Assignees

No one assigned

    Labels

    type/bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions