Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth module missing special handling for loopback redirect URI #21285

Closed
hickford opened this issue Sep 28, 2022 · 0 comments · Fixed by #21293 or #21373
Closed

OAuth module missing special handling for loopback redirect URI #21285

hickford opened this issue Sep 28, 2022 · 0 comments · Fixed by #21293 or #21373
Labels
type/bug

Comments

@hickford
Copy link
Contributor

hickford commented Sep 28, 2022
edited
Loading

OAuth RFC https://datatracker.ietf.org/doc/html/rfc8252#section-7.3 describes special handling for loopback redirect URIs, in particular that the port need not match.

The authorization server MUST allow any port to be specified at the
time of the request for loopback IP redirect URIs, to accommodate
clients that obtain an available ephemeral port from the operating
system at the time of the request.

This is vital for local apps, but the behaviour is missing in Gitea.
Relevant code

gitea/models/auth/oauth2.go

Lines 58 to 60 in 5a3b9ac

func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
return util.IsStringInSlice(redirectURI, app.RedirectURIs, true)
}

GitHub implements this behaviour https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps#localhost-redirect-urls

The redirect_uri does not need to match the port specified in the callback url for the app.
@hickford hickford mentioned this issue Sep 28, 2022
Merged
6543 pushed a commit that referenced this issue Sep 28, 2022
@hickford
Ignore port for loopback redirect URIs (#21293)
6a45a69 
Following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3

Fixes #21285
@hickford hickford mentioned this issue Oct 7, 2022
Merged
hickford added a commit to hickford/gitea that referenced this issue Oct 7, 2022
@hickford
Ignore port for loopback redirect URIs (go-gitea#21293)
5eda90a 
Following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3

Fixes go-gitea#21285
wxiaoguang pushed a commit that referenced this issue Oct 8, 2022
@hickford
Ignore port for OAuth2 loopback redirect URIs (#21293) (#21373)
672d54f 
Backport #21293

Following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3

Fixes #21285
tyroneyeh added a commit to tyroneyeh/gitea that referenced this issue Oct 24, 2022
@tyroneyeh
Ignore port for OAuth2 loopback redirect URIs (go-gitea#21293) (go-gi…
98927cd 
…tea#21373)

Backport go-gitea#21293

Following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3

Fixes go-gitea#21285
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
1 participant
@hickford