We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The OAuth authorization_code handler authenticates the client by validating the client secret
gitea/routers/web/auth/oauth.go
Lines 703 to 713 in 9862936
According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 , this should also happen when "Refreshing an Access Token"
The authorization server MUST ... require client authentication for confidential clients
but handleRefreshToken doesn't do this
Line 658 in 9862936
The text was updated successfully, but these errors were encountered:
Require authentication for OAuth token refresh (#21421)
afebbf2
According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 when "Refreshing an Access Token" > The authorization server MUST ... require client authentication for confidential clients Fixes #21418 Co-authored-by: Gusted <[email protected]> Co-authored-by: Lunny Xiao <[email protected]>
Successfully merging a pull request may close this issue.
The OAuth authorization_code handler authenticates the client by validating the client secret
gitea/routers/web/auth/oauth.go
Lines 703 to 713 in 9862936
According to the OAuth spec https://datatracker.ietf.org/doc/html/rfc6749#section-6 , this should also happen when "Refreshing an Access Token"
but handleRefreshToken doesn't do this
gitea/routers/web/auth/oauth.go
Line 658 in 9862936
The text was updated successfully, but these errors were encountered: