mirror of
1
Fork 0
forgejo/routers/web/auth
Denys Konovalov 7d855efb1f
Allow for PKCE flow without client secret + add docs (#25033)
The PKCE flow according to [RFC
7636](https://datatracker.ietf.org/doc/html/rfc7636) allows for secure
authorization without the requirement to provide a client secret for the
OAuth app.

It is implemented in Gitea since #5378 (v1.8.0), however without being
able to omit client secret.
Since #21316 Gitea supports setting client type at OAuth app
registration.

As public clients are already forced to use PKCE since #21316, in this
PR the client secret check is being skipped if a public client is
detected. As Gitea seems to implement PKCE authorization correctly
according to the spec, this would allow for PKCE flow without providing
a client secret.

Also add some docs for it, please check language as I'm not a native
English speaker.

Closes #17107
Closes #25047
2023-06-03 05:59:28 +02:00
..
2fa.go refactor some functions to support ctx as first parameter (#21878) 2022-12-03 10:48:26 +08:00
auth.go Split "modules/context.go" to separate files (#24569) 2023-05-08 17:36:54 +08:00
linkaccount.go Add context cache as a request level cache (#22294) 2023-02-15 21:37:34 +08:00
main_test.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
oauth.go Allow for PKCE flow without client secret + add docs (#25033) 2023-06-03 05:59:28 +02:00
oauth_test.go Add context cache as a request level cache (#22294) 2023-02-15 21:37:34 +08:00
openid.go Refactor cookie (#24107) 2023-04-13 15:45:33 -04:00
password.go Split "modules/context.go" to separate files (#24569) 2023-05-08 17:36:54 +08:00
webauthn.go Replace deprecated Webauthn library (#22400) 2023-01-11 21:51:00 -05:00