0
0
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2024-11-15 06:21:23 +01:00
gitea/tests
Shivaram Lingamneni 2f1cb1d289
fix OIDC introspection authentication (#31632)
See discussion on #31561 for some background.

The introspect endpoint was using the OIDC token itself for
authentication. This fixes it to use basic authentication with the
client ID and secret instead:

* Applications with a valid client ID and secret should be able to
  successfully introspect an invalid token, receiving a 200 response
  with JSON data that indicates the token is invalid
* Requests with an invalid client ID and secret should not be able
  to introspect, even if the token itself is valid

Unlike #31561 (which just future-proofed the current behavior against
future changes to `DISABLE_QUERY_AUTH_TOKEN`), this is a potential
compatibility break (some introspection requests without valid client
IDs that would previously succeed will now fail). Affected deployments
must begin sending a valid HTTP basic authentication header with their
introspection requests, with the username set to a valid client ID and
the password set to the corresponding client secret.
2024-07-23 12:43:03 +00:00
..
e2e Add typescript guideline and typescript-specific eslint plugins and fix issues (#31521) 2024-07-03 17:48:14 +02:00
fuzz Rework markup link rendering (#26745) 2024-01-15 08:49:24 +00:00
gitea-lfs-meta Test views of LFS files (#22196) 2022-12-23 07:41:56 +08:00
gitea-repositories-meta Use raw Wiki links for non-renderable Wiki files (#30273) 2024-04-10 17:49:57 +00:00
integration fix OIDC introspection authentication (#31632) 2024-07-23 12:43:03 +00:00
testdata/data/attachments/a/0 Allow get release download files and lfs files with oauth2 token format (#26430) 2023-10-01 10:41:52 +00:00
mssql.ini.tmpl Azure blob storage support (#30995) 2024-05-30 07:33:50 +00:00
mysql.ini.tmpl Disable query token param in integration tests (#28592) 2023-12-23 11:29:51 +08:00
pgsql.ini.tmpl Azure blob storage support (#30995) 2024-05-30 07:33:50 +00:00
sqlite.ini.tmpl Disable query token param in integration tests (#28592) 2023-12-23 11:29:51 +08:00
test_utils.go Add some tests to clarify the "must-change-password" behavior (#30693) 2024-04-27 12:23:37 +00:00