OIDC: case-insensitive comparison for auth scheme Basic
#31706
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pull-request-size
bot
added
the
size/XS
GiteaBot
added
the
lgtm/need 2
wolfogre
approved these changes
Jul 26, 2024
GiteaBot
added
lgtm/need 1
silverwind
approved these changes
Jul 26, 2024
GiteaBot
added
lgtm/done
techknowlogick
approved these changes
Jul 26, 2024
techknowlogick
added
skip-changelog
GiteaBot
removed
the
reviewed/wait-merge
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Jul 29, 2024
* giteaofficial/main: Make GetRepositoryByName more safer (go-gitea#31712) [skip ci] Updated licenses and gitignores Run `go-install` in `deps-tools` in parallel (go-gitea#31711) Hide the "Details" link of commit status when the user cannot access actions (go-gitea#30156) Enable `no-jquery/no-parse-html-literal` and fix violation (go-gitea#31684) [skip ci] Updated translations via Crowdin OIDC: case-insensitive comparison for auth scheme `Basic` (go-gitea#31706) Support `pull_request_target` event for commit status (go-gitea#31703) Add types to fetch,toast,bootstrap,svg (go-gitea#31627) Run `detectWebAuthnSupport` only if necessary (go-gitea#31691) add `username` to OIDC introspection response (go-gitea#31688) Add return type to GetRawFileOrLFS and GetRawFile (go-gitea#31680) Support delete user email in admin panel (go-gitea#31690) Use GetDisplayName() instead of DisplayName() to generate rss feeds (go-gitea#31687)
DennisRasey
pushed a commit
to DennisRasey/forgejo
that referenced
this pull request
Aug 8, 2024
These are the three conflicted changes from #4716: * go-gitea/gitea#31632 * go-gitea/gitea#31688 * go-gitea/gitea#31706 cc @earl-warren; as per discussion on go-gitea/gitea#31632 this involves a small compatibility break (OIDC introspection requests now require a valid client ID and secret, instead of a valid OIDC token) ## Checklist The [developer guide](https://forgejo.org/docs/next/developer/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [ ] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Draft release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Breaking features - [PR](https://codeberg.org/forgejo/forgejo/pulls/4724): <!--number 4724 --><!--line 0 --><!--description T0lEQyBpbnRlZ3JhdGlvbnMgdGhhdCBQT1NUIHRvIGAvbG9naW4vb2F1dGgvaW50cm9zcGVjdGAgd2l0aG91dCBzZW5kaW5nIEhUVFAgYmFzaWMgYXV0aGVudGljYXRpb24gd2lsbCBub3cgZmFpbCB3aXRoIGEgNDAxIEhUVFAgVW5hdXRob3JpemVkIGVycm9yLiBUbyBmaXggdGhlIGVycm9yLCB0aGUgY2xpZW50IG11c3QgYmVnaW4gc2VuZGluZyBIVFRQIGJhc2ljIGF1dGhlbnRpY2F0aW9uIHdpdGggYSB2YWxpZCBjbGllbnQgSUQgYW5kIHNlY3JldC4gVGhpcyBlbmRwb2ludCB3YXMgcHJldmlvdXNseSBhdXRoZW50aWNhdGVkIHZpYSB0aGUgaW50cm9zcGVjdGlvbiB0b2tlbiBpdHNlbGYsIHdoaWNoIGlzIGxlc3Mgc2VjdXJlLg==-->OIDC integrations that POST to `/login/oauth/introspect` without sending HTTP basic authentication will now fail with a 401 HTTP Unauthorized error. To fix the error, the client must begin sending HTTP basic authentication with a valid client ID and secret. This endpoint was previously authenticated via the introspection token itself, which is less secure.<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4724 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Shivaram Lingamneni <slingamn@cs.stanford.edu> Co-committed-by: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@kylef pointed out on #31632 that RFC7617 mandates case-insensitive comparison of the scheme field
Basic. #31632 copied a case-sensitive comparison from #6293. This PR fixes both comparisons.The issue only affects OIDC, since the implementation for normal Gitea endpoints is already correct:
gitea/services/auth/basic.go
Lines 55 to 58 in 930ca92