forgejo/routers
M Hickford 14bc4d79c1
Parse OAuth Authorization header when request omits client secret (#21351) (#21374)
Backport #21351

This fixes error "unauthorized_client: invalid client secret" when
client includes secret in Authorization header rather than request body.
OAuth spec permits both:
https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1

Clients in possession of a client password MAY use the HTTP Basic
authentication scheme ... Alternatively, the authorization server MAY
support including the client credentials in the request-body

Sanity validation that client id and client secret in request are
consistent with Authorization header.

Improve error descriptions. Error codes remain the same.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: zeripath <art27@cantab.net>
2022-10-08 16:53:17 +08:00
..
api Use Go 1.19 fmt for Gitea 1.17, sync emoji data (#21239) 2022-09-22 21:58:31 +08:00
common Rework raw file http header logic (#20484) (#20542) 2022-07-30 18:37:02 +02:00
install Add Cache-Control header to html and api responses, add no-transform (#20432) (#20459) 2022-07-23 11:58:58 +01:00
private Add migrate repo archiver and packages storage support on command line (#20757) (#20806) 2022-08-18 09:27:56 +08:00
utils A better go code formatter, and now make fmt can run in Windows (#17684) 2021-11-17 20:34:35 +08:00
web Parse OAuth Authorization header when request omits client secret (#21351) (#21374) 2022-10-08 16:53:17 +08:00
init.go Initialize cron last (#20373) (#20384) 2022-07-15 13:44:22 -04:00