github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-22 06:24:14 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Support for OAuth public clients (native apps) #9635

New Issue
Closed
opened 2025-11-02 08:45:03 -06:00 by GiteaMirror · 3 comments
GiteaMirror commented 2025-11-02 08:45:03 -06:00
Owner
Copy Link

Originally created by @hickford on GitHub (Sep 29, 2022).

The OAuth spec defines two types of client, confidential and public, however Gitea assumes all clients to be confidential.

OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to
maintain the confidentiality of their client credentials):

confidential
Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with
restricted access to the client credentials), or capable of secure client authentication using other means.

public
Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.

The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type.

This is a barrier to native apps using OAuth https://datatracker.ietf.org/doc/html/rfc8252

Some OAuth server implementations that assume all clients are confidential web clients will need to add an
understanding of public native app clients and the types of redirect URIs they use to support this best practice.

In particular, Gitea should record the client type https://datatracker.ietf.org/doc/html/rfc8252#section-8.4

Authorization servers MUST record the client type in the client registration details in order to identify and process requests
accordingly.

and require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1

Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message

Originally created by @hickford on GitHub (Sep 29, 2022). The OAuth spec [defines two types of client](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1), confidential and public, however Gitea assumes all clients to be confidential. > OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to > maintain the confidentiality of their client credentials): > > confidential > Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with > restricted access to the client credentials), or capable of secure client authentication using other means. > > **public > Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.** > > The client type designation is based on the authorization server's definition of secure authentication and its acceptable exposure levels of client credentials. The authorization server SHOULD NOT make assumptions about the client type. This is a barrier to native apps using OAuth https://datatracker.ietf.org/doc/html/rfc8252 > Some OAuth server implementations that assume all clients are confidential web clients will need to add an understanding of public native app clients and the types of redirect URIs they use to support this best practice. In particular, Gitea should record the client type https://datatracker.ietf.org/doc/html/rfc8252#section-8.4 > Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly. and require PKCE for public clients: https://datatracker.ietf.org/doc/html/rfc8252#section-8.1 > Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message
GiteaMirror added the type/proposaltype/feature labels 2025-11-02 08:45:03 -06:00
GiteaMirror commented 2025-11-02 08:45:04 -06:00
Author
Owner
Copy Link

@hickford commented on GitHub (Sep 29, 2022):

First step would be to add client type field to type OAuth2Application https://github.com/go-gitea/gitea/blob/main/models/auth/oauth2.go and associated forms

GitLab has a confidential option:

Confidential
Enable only for confidential applications exclusively used by a trusted backend server that can securely store the client secret. Do not enable for native-mobile, single-page, or other JavaScript applications because they cannot keep the client secret confidential.

image

@hickford commented on GitHub (Sep 29, 2022): First step would be to add client type field to type OAuth2Application https://github.com/go-gitea/gitea/blob/main/models/auth/oauth2.go and associated forms GitLab has a confidential option: > Confidential Enable only for confidential applications exclusively used by a trusted backend server that can securely store the client secret. Do not enable for native-mobile, single-page, or other JavaScript applications because they cannot keep the client secret confidential. ![image](https://user-images.githubusercontent.com/105314/192996007-2527843b-8078-4fe2-af31-4e1207e26be5.png)
GiteaMirror commented 2025-11-02 08:45:04 -06:00
Author
Owner
Copy Link

@hickford commented on GitHub (Sep 29, 2022):

Secondly I think handleAuthorizationCode would have to implement the logic described in https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3:

ensure that the authorization code was issued to the authenticated confidential client, or if the client is public, ensure that the code was issued to "client_id" in the request,

Right now when my native app tries to authenticate, it gets error "unauthorized_client: invalid client secret".

@hickford commented on GitHub (Sep 29, 2022): Secondly I think [handleAuthorizationCode](https://github.com/go-gitea/gitea/blob/08609d439d81f65c4f691609acaa29c1c7e96757/routers/web/auth/oauth.go#L679) would have to implement the logic described in https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3: > ensure that the authorization code was issued to the authenticated confidential client, or **if the client is public, ensure that the code was issued to "client_id" in the request**, Right now when my native app tries to authenticate, it gets error "unauthorized_client: invalid client secret".
GiteaMirror commented 2025-11-02 08:45:04 -06:00
Author
Owner
Copy Link

@hickford commented on GitHub (Sep 29, 2022):

@jonasfranz who originally added OAuth support https://github.com/go-gitea/gitea/pull/5378 , do you have any insight?

@hickford commented on GitHub (Sep 29, 2022): @jonasfranz who originally added OAuth support https://github.com/go-gitea/gitea/pull/5378 , do you have any insight?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/feature type/proposal
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#9635
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?