Skip to content

Cannot disable pre-registered OAuth2 applications #29074

New issue
New issue
Closed
#30304
Closed
Cannot disable pre-registered OAuth2 applications#29074
#30304
Labels
type/proposalThe new feature has not been accepted yet but needs to be discussed first.
Milestone
 
1.22.0
@Adrian-Hirt

Description

@Adrian-Hirt
Adrian-Hirt
opened on Feb 7, 2024

Description

In #26291, pre-registered OAuth applications were added to gitea.

In my case, we would like to disable them (or rather OAuth2 capabilities in general), but this does not seem to be possible.

A) If I set DEFAULT_APPLICATIONS to an empty value, it will be ignored and both of the pre-configured applications will be enabled. Setting the config value to any other option will raise an error on startup, as there is no pre-configured application with that name. Am I missing something here? Setting this setting to an empty value probably should disable all the pre-configured applications, right?

B) In addition, setting ENABLE = false in the [oauth2] section in app.ini has no effect. It's not possible to view OAuth2 applications, but it's still possible to use the pre-defined applications to log-in, e.g. when using git-credential-manager. I'd expect the OAuth2 login endpoint to be completely disabled if the setting ENABLE is set to false, i.e. if this is set to false, logging-in with OAuth2 should be completely disabled, also for the predefined applications.

How to reproduce:

For A):

  • Set DEFAULT_APPLICATIONS = in [oauth2] section in app.ini
  • Set ENABLE = true in [oauth2] section in app.ini
  • Start webserver
  • Navigate to Admin Settings > Applications

Expected behaviour:

  • No pre-configured applications are listed

Observed behaviour:

  • Both git-credential-manager as well as git-credential-oauth applications are present

For B):

  • Set ENABLE = false in [oauth2] section in app.ini
  • Start webserver
  • Start an OAuth request from git-credential-manager, e.g. by cloning a repo via HTTPS

Expected behaviour:

  • The Authorization request should be rejected by gitea, as OAuth2 is disabled

Observed behaviour:

  • The Authorization request works equal to the case where ENABLE is set to true

Please let me know if you need any other info. I greatly appreciate the work done here, and I can just block these requests on the reverse proxy, but I still wanted to bring this issue to attention. Have a nice day!

Gitea Version

v1.21.5

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

https://gist.github.com/Adrian-Hirt/0f1c5a26892018ac90a04f6aa1f5a4c0

Screenshots

No response

Git Version

No response

Operating System

Fedora 37

How are you running Gitea?

I'm running the binary from the download page.

Database

MySQL/MariaDB

Metadata

Metadata

Assignees

No one assigned

    Labels

    type/proposalThe new feature has not been accepted yet but needs to be discussed first.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions