Skip to content

OAuth should require user consent for every public client authorization #25061

New issue
New issue
Closed
#30790
Closed
OAuth should require user consent for every public client authorization#25061
#30790
Labels
topic/securitySomething leaks user information or is otherwise vulnerable. Should be fixed!
@hickford

Description

@hickford
hickford
opened on Jun 3, 2023

Description

Following OAuth spec https://datatracker.ietf.org/doc/html/rfc8252#section-8.6

the authorization server SHOULD NOT process authorization requests automatically without user consent or interaction, except when the identity of the client can be assured [ie. client is a confidential client]. This includes the case where the user has previously approved an authorization request for a given client id

However Gitea's AuthorizeOAuth only asks for consent on the first authorization. This behaviour is the same for both public clients and confidential clients. Correct would be to ask for consent on the first authorization for confidential clients, and every authorisation for public clients.

gitea/routers/web/auth/oauth.go

Lines 465 to 494 in af3deb0

grant, err := app.GetGrantByUserID(ctx, ctx.Doer.ID)
if err != nil {
handleServerError(ctx, form.State, form.RedirectURI)
return
}
// Redirect if user already granted access
if grant != nil {
code, err := grant.GenerateNewAuthorizationCode(ctx, form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod)
if err != nil {
handleServerError(ctx, form.State, form.RedirectURI)
return
}
redirect, err := code.GenerateRedirectURI(form.State)
if err != nil {
handleServerError(ctx, form.State, form.RedirectURI)
return
}
// Update nonce to reflect the new session
if len(form.Nonce) > 0 {
err := grant.SetNonce(ctx, form.Nonce)
if err != nil {
log.Error("Unable to update nonce: %v", err)
}
}
ctx.Redirect(redirect.String())
return
}
// show authorize page to grant access

Gitea Version

HEAD

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

reading code

Database

None

Metadata

Metadata

Assignees

No one assigned

    Labels

    topic/securitySomething leaks user information or is otherwise vulnerable. Should be fixed!

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions