Prevent automatic OAuth grants for public clients

As detailed in Section 10.2 of RFC 6749 (The OAuth 2.0 Authorization Framework): > The authorization server SHOULD NOT process repeated authorization > requests automatically (without active resource owner interaction) > without authenticating the client [...]. Prior to this commit, Gitea would automatically issue authorization codes if the user previously granted access to the specific client. Especially with pre-registered OAuth clients using loopback interface redirects (like `git-credential-oauth`), this makes it possible for malicious applications with access to the same loopback interface and the ability to open a URL using the user's browser to impersonate public clients and get access to the user's account without manual interaction. This patch simply introduces an additional condition that prevents automatic grants if the application is not confidential.
2024-04-30 21:20:43 +02:00 · 2024-04-30 21:20:43 +02:00 · e8bc0f8e53
parent a988237eb4
commit e8bc0f8e53
1 changed files with 3 additions and 2 deletions
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@ -470,8 +470,9 @@ func AuthorizeOAuth(ctx *context.Context) {
 		return
 	}

-	// Redirect if user already granted access
-	if grant != nil {
+	// Redirect if user already granted access and the application is confidential.
+	// I.e. always require authorization for public clients as recommended by RFC 6749 Section 10.2
+	if app.ConfidentialClient && grant != nil {
 		code, err := grant.GenerateNewAuthorizationCode(ctx, form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod)
 		if err != nil {
 			handleServerError(ctx, form.State, form.RedirectURI)