Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent automatic OAuth grants for public clients (#30790) #30835

Merged
merged 1 commit into from
May 2, 2024

Conversation

GiteaBot
Copy link
Collaborator

@GiteaBot GiteaBot commented May 2, 2024

Backport #30790 by archer-321

This commit forces the resource owner (user) to always approve OAuth 2.0 authorization requests if the client is public (e.g. native applications).

As detailed in RFC 6749 Section 10.2,

The authorization server SHOULD NOT process repeated authorization requests automatically (without active resource owner interaction) without authenticating the client or relying on other measures to ensure that the repeated request comes from the original client and not an impersonator.

With the implementation prior to this patch, attackers with access to the redirect URI (e.g., the loopback interface for git-credential-oauth) can get access to the user account without any user interaction if they can redirect the user to the /login/oauth/authorize endpoint somehow (e.g., with xdg-open on Linux).

Fixes #25061.

This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes go-gitea#25061.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
@GiteaBot GiteaBot added modifies/go Pull requests that update Go code type/bug labels May 2, 2024
@GiteaBot GiteaBot added this to the 1.21.12 milestone May 2, 2024
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label May 2, 2024
@GiteaBot GiteaBot requested review from delvh and wxiaoguang May 2, 2024 17:06
@pull-request-size pull-request-size bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label May 2, 2024
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels May 2, 2024
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels May 2, 2024
@silverwind silverwind merged commit 1389fa8 into go-gitea:release/v1.21 May 2, 2024
27 checks passed
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Aug 1, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. type/bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants