Gitea as An OAuth Provider Redirects A Wrong User Account Data To Its Client

[vw98075]

• Gitea version (or commit ref):.15.0+rc3-10-g25437672b
• Git version:Go1.16.5
• Operating system:MacOS

Local build

• Database (use [x]):
  • [ x] PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
• Log gist:

2021/08/18 17:12:29 Started GET /login/oauth/authorize?response_type=code&client_id=564a1ee4-7b37-4eb3-a2b7-aa53a5a18811&scope=openid%20profile%20email&state=Ml7_1i7v_hrOM-c2esm_NLbnXLmo4Spv17l8Dd11GNI%3D&redirect_uri=http://localhost:9000/login/oauth2/code/oidc&nonce=aIRv81v6hY_3ke0XTNXIFQ0pt0QfgOZvL1ln_teZ5c8 for [::1]:62859
2021/08/18 17:12:29 Completed GET /login/oauth/authorize?response_type=code&client_id=564a1ee4-7b37-4eb3-a2b7-aa53a5a18811&scope=openid%20profile%20email&state=Ml7_1i7v_hrOM-c2esm_NLbnXLmo4Spv17l8Dd11GNI%3D&redirect_uri=http://localhost:9000/login/oauth2/code/oidc&nonce=aIRv81v6hY_3ke0XTNXIFQ0pt0QfgOZvL1ln_teZ5c8 302 Found in 208.954µs
2021/08/18 17:12:29 Started GET /user/login for [::1]:62859
2021/08/18 17:12:29 Completed GET /user/login 200 OK in 1.882107ms
2021/08/18 17:12:59 Started POST /user/login for [::1]:62859
2021/08/18 17:12:59 Completed POST /user/login 302 Found in 17.798772ms
2021/08/18 17:12:59 Started GET /login/oauth/authorize?response_type=code&client_id=564a1ee4-7b37-4eb3-a2b7-aa53a5a18811&scope=openid%20profile%20email&state=Ml7_1i7v_hrOM-c2esm_NLbnXLmo4Spv17l8Dd11GNI%3D&redirect_uri=http://localhost:9000/login/oauth2/code/oidc&nonce=aIRv81v6hY_3ke0XTNXIFQ0pt0QfgOZvL1ln_teZ5c8 for [::1]:62859
2021/08/18 17:12:59 Completed GET /login/oauth/authorize?response_type=code&client_id=564a1ee4-7b37-4eb3-a2b7-aa53a5a18811&scope=openid%20profile%20email&state=Ml7_1i7v_hrOM-c2esm_NLbnXLmo4Spv17l8Dd11GNI%3D&redirect_uri=http://localhost:9000/login/oauth2/code/oidc&nonce=aIRv81v6hY_3ke0XTNXIFQ0pt0QfgOZvL1ln_teZ5c8 302 Found in 3.560918ms
2021/08/18 17:12:59 Started POST /login/oauth/access_token for 127.0.0.1:63183
2021/08/18 17:12:59 Completed POST /login/oauth/access_token 200 OK in 90.598884ms
2021/08/18 17:12:59 Started GET /login/oauth/keys for 127.0.0.1:63183
2021/08/18 17:12:59 Completed GET /login/oauth/keys 200 OK in 227.849µs
2021/08/18 17:12:59 Started GET /login/oauth/userinfo for 127.0.0.1:63183
2021/08/18 17:12:59 Completed GET /login/oauth/userinfo 200 OK in 1.336597ms

Description

This ticket is about the same bug stated in #16488. Although the ticket is closed, the same problem is still observed in the 1.15-rc3 branch where the problem is claimed to be fixed.

Steps:

• sign in on an OAuth client app
• redirected to Gitea and sign in
• redirected back to the client app and the user shows up in the client app isn't necessary the same one signing in Gitea (it seems the user account which creates the OAuth app configuration is redirected back)

Screenshots