OAuth PKCE authentication requires divulging client secret #17107
Labels
type/enhancement
An improvement of existing functionality
type/proposal
The new feature has not been accepted yet but needs to be discussed first.
Comments
|
Hello, We are experiencing the same issue. We would like to use the Gitea OAuth2 provider to secure our single-page application, but sending the client secret from a SPA is not secure. Would it be possible to implement the PKCE flow without requiring the client secret? |
|
We're having the same issue, we'd like to provide Gitea as a backend for our git-cms in Plenti, but we can't protect secrets clientside. I noticed that there is a "Confidential Client" checkbox when creating an OAuth2 Application for an Organization, but I still haven't been able to successfully omit the |
lunny
added
type/proposal
6543
pushed a commit
that referenced
this issue
Jun 3, 2023
The PKCE flow according to [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636) allows for secure authorization without the requirement to provide a client secret for the OAuth app. It is implemented in Gitea since #5378 (v1.8.0), however without being able to omit client secret. Since #21316 Gitea supports setting client type at OAuth app registration. As public clients are already forced to use PKCE since #21316, in this PR the client secret check is being skipped if a public client is detected. As Gitea seems to implement PKCE authorization correctly according to the spec, this would allow for PKCE flow without providing a client secret. Also add some docs for it, please check language as I'm not a native English speaker. Closes #17107 Closes #25047
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
While Gitea supports PKCE as an OAuth provider, it doesn't allow clients to authenticate without providing a client secret. Clients which cannot safely store a client secret, e.g. serverless single-page apps and mobile apps, thus cannot authenticate. In particular, Netlify's authentication flow is done entirely client-side, and its OAuth PKCE authentication flow thus will not work with Gitea currently.
My current proposal for fixing this is to add a configuration option for OAuth applications which determines whether their clients are public or confidential. Public clients will be required to use PKCE but are not required to provide a client secret, whereas confidential clients will be required to provide a client secret but are not required to use PKCE.
The text was updated successfully, but these errors were encountered: