mirror of
https://github.com/go-gitea/gitea
synced 2024-12-25 21:14:50 +01:00
2f1cb1d289
See discussion on #31561 for some background. The introspect endpoint was using the OIDC token itself for authentication. This fixes it to use basic authentication with the client ID and secret instead: * Applications with a valid client ID and secret should be able to successfully introspect an invalid token, receiving a 200 response with JSON data that indicates the token is invalid * Requests with an invalid client ID and secret should not be able to introspect, even if the token itself is valid Unlike #31561 (which just future-proofed the current behavior against future changes to `DISABLE_QUERY_AUTH_TOKEN`), this is a potential compatibility break (some introspection requests without valid client IDs that would previously succeed will now fail). Affected deployments must begin sending a valid HTTP basic authentication header with their introspection requests, with the username set to a valid client ID and the password set to the corresponding client secret. |
||
---|---|---|
.. | ||
actions | ||
activitypub | ||
analyze | ||
assetfs | ||
auth | ||
avatar | ||
badge | ||
base | ||
cache | ||
charset | ||
container | ||
csv | ||
dump | ||
emoji | ||
eventsource | ||
generate | ||
git | ||
gitgraph | ||
gitrepo | ||
graceful | ||
hcaptcha | ||
highlight | ||
hostmatcher | ||
html | ||
httpcache | ||
httplib | ||
indexer | ||
issue/template | ||
json | ||
label | ||
lfs | ||
log | ||
markup | ||
mcaptcha | ||
metrics | ||
migration | ||
nosql | ||
optional | ||
options | ||
packages | ||
paginator | ||
pprof | ||
private | ||
process | ||
proxy | ||
proxyprotocol | ||
public | ||
queue | ||
recaptcha | ||
references | ||
regexplru | ||
repository | ||
secret | ||
session | ||
setting | ||
sitemap | ||
ssh | ||
storage | ||
structs | ||
svg | ||
sync | ||
system | ||
templates | ||
test | ||
testlogger | ||
timeutil | ||
translation | ||
turnstile | ||
typesniffer | ||
updatechecker | ||
uri | ||
user | ||
util | ||
validation | ||
web | ||
webhook |