Feature/oauth userinfo #15721
No reviewers
Labels
No Label
backport/done
backport/v1.0
backport/v1.1
backport/v1.10
backport/v1.11
backport/v1.12
backport/v1.13
backport/v1.14
backport/v1.15
backport/v1.2
backport/v1.3
backport/v1.4
backport/v1.5
backport/v1.6
backport/v1.7
backport/v1.8
backport/v1.9
bounty
changelog
dependencies
frontport/done
frontport/main
good first issue
Hacktoberfest
hacktoberfest-accepted
in progress
kind/api
kind/breaking
kind/bug
kind/build
kind/deployment
kind/deprecated
kind/docs
kind/enhancement
kind/feature
kind/lint
kind/misc
kind/moderation
kind/package
kind/proposal
kind/question
kind/refactor
kind/regression
kind/security
kind/summary
kind/testing
kind/translation
kind/ui
kind/upstream-related
kind/usability
kind/ux
lgtm/done
lgtm/need 1
lgtm/need 2
performance/bigrepo
performance/cpu
performance/memory
performance/speed
priority/critical
priority/low
priority/maybe
priority/medium
proposal/rejected
reviewed/confirmed
reviewed/duplicate
reviewed/fixed
reviewed/invalid
reviewed/not-a-bug
reviewed/wontfix
skip-changelog
stale
status/blocked
status/needs-feedback
status/wip
theme/2fa
theme/authentication
theme/avatar
theme/backup-restore
theme/docker
theme/federation
theme/issues
theme/kanban
theme/markdown
theme/migration
theme/mobile
theme/pr
theme/signing
theme/sqlite
theme/timetracker
theme/webhook
theme/wiki
No Milestone
No project
No Assignees
2 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: lunny/gitea#15721
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "feature/oauth_userinfo"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
PullRequest which adds the userinfo endpoint for openid-connect.
Solves #8534 (https://github.com/go-gitea/gitea/issues/8534)
Obsoletes the simple solution in pull request #14938.
Can be used with grafana, mod_auth_openidc (tested on arm64/amd64)
Example-Configuration for mod_auth_openidc:
OIDCProviderMetadataURL <host/path_to>/.well-known/openid-configuration
OIDCClientID <clientid from gitea>
OIDCClientSecret <clientsecret from gitea>
OIDCProviderTokenEndpointParams client_secret=<clientsecret from gitea urlencoded>&client_id=<clientid from gitea urlencoded>
OIDCCryptoPassphrase <any random string>
OIDCRedirectURI <uri back to a non-existent path inside the protected url>
@ -196,0 +243,4 @@
}
response := &userInfoResponse{
Sub: fmt.Sprint(authUser.ID),
Name: authUser.FullName,
if uid == 0, we should still give an error.
@ -196,0 +243,4 @@
}
response := &userInfoResponse{
Sub: fmt.Sprint(authUser.ID),
Name: authUser.FullName,
Good point, will add this afternoon.
@ -196,0 +243,4 @@
}
response := &userInfoResponse{
Sub: fmt.Sprint(authUser.ID),
Name: authUser.FullName,
If we can check
uid == 0
and return, it's a better control flow on Golang.And it should not be a server error but an invalid token.
@ -196,0 +243,4 @@
}
response := &userInfoResponse{
Sub: fmt.Sprint(authUser.ID),
Name: authUser.FullName,
Ah ok, so you mean a
before the
if uid != 0 {
?
Or should I remove the If statement uid != 0 before the next block?
Sry, but I'm new to golang, so I am not so firm with control flows on Golang. (Coming from Python and some other languages)
@ -196,0 +243,4 @@
}
response := &userInfoResponse{
Sub: fmt.Sprint(authUser.ID),
Name: authUser.FullName,
Ok, just found RFC6750 for invalid bearer token usage.
Will implement a new handleBearerTokenError() function which should be used when there is an error at the UserInfo Endpoint according to the specs.
@ -196,0 +243,4 @@
}
response := &userInfoResponse{
Sub: fmt.Sprint(authUser.ID),
Name: authUser.FullName,
Implemented handleBearerTokenError and the BearerTokenError according to RFC 6750.
I didn't invalidate the token inside gitea, because the access token for itself is valid at the client and in RFC 6750 stands nothing about invalidation of any accesstoken, it should only respond with an invalid_token error and status code 401.
If execution reaches this point, then it can be assumed that uid is not 0 (since if it were, then the above
return
would be hit), so you don't need to wrap the below in an if@ -571,3 +629,18 @@ func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirect
redirect.RawQuery = q.Encode()
ctx.Redirect(redirect.String(), 302)
Use switch is better
LGTM except @techknowlogick 's comment
@ -571,3 +629,18 @@ func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirect
redirect.RawQuery = q.Encode()
ctx.Redirect(redirect.String(), 302)
Implemented switch (came from Python, there is no switch available - my fault..)
Added also a default for unknown ErrorCode (this would be a server error, because it should never be reached, only if there is some internal failure)
Removed the unneeded if statement.
Thank you so much for this PR :)
Hopefully you had a pleasant experience, and will make more in the future as we'd be happy to have them :) (if it wasn't a pleasant experience please do let us know and we can improve our process)