mirror of https://github.com/go-gitea/gitea
Make oauth2 code clear. Move oauth2 provider code to their own packages/files (#32148)
Fix #30266 Replace #31533pull/32145/head^2
Lunny Xiao
2 months ago
committed by
GitHub
parent
70b7df0e5e
commit
3a4a1bffbe
@ -0,0 +1,666 @@ |
||||
// Copyright 2024 The Gitea Authors. All rights reserved.
|
||||
// SPDX-License-Identifier: MIT
|
||||
|
||||
package auth |
||||
|
||||
import ( |
||||
"errors" |
||||
"fmt" |
||||
"html" |
||||
"html/template" |
||||
"net/http" |
||||
"net/url" |
||||
"strings" |
||||
|
||||
"code.gitea.io/gitea/models/auth" |
||||
user_model "code.gitea.io/gitea/models/user" |
||||
"code.gitea.io/gitea/modules/base" |
||||
"code.gitea.io/gitea/modules/json" |
||||
"code.gitea.io/gitea/modules/log" |
||||
"code.gitea.io/gitea/modules/setting" |
||||
"code.gitea.io/gitea/modules/web" |
||||
auth_service "code.gitea.io/gitea/services/auth" |
||||
"code.gitea.io/gitea/services/context" |
||||
"code.gitea.io/gitea/services/forms" |
||||
"code.gitea.io/gitea/services/oauth2_provider" |
||||
|
||||
"gitea.com/go-chi/binding" |
||||
jwt "github.com/golang-jwt/jwt/v5" |
||||
) |
||||
|
||||
const ( |
||||
tplGrantAccess base.TplName = "user/auth/grant" |
||||
tplGrantError base.TplName = "user/auth/grant_error" |
||||
) |
||||
|
||||
// TODO move error and responses to SDK or models
|
||||
|
||||
// AuthorizeErrorCode represents an error code specified in RFC 6749
|
||||
// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2.1
|
||||
type AuthorizeErrorCode string |
||||
|
||||
const ( |
||||
// ErrorCodeInvalidRequest represents the according error in RFC 6749
|
||||
ErrorCodeInvalidRequest AuthorizeErrorCode = "invalid_request" |
||||
// ErrorCodeUnauthorizedClient represents the according error in RFC 6749
|
||||
ErrorCodeUnauthorizedClient AuthorizeErrorCode = "unauthorized_client" |
||||
// ErrorCodeAccessDenied represents the according error in RFC 6749
|
||||
ErrorCodeAccessDenied AuthorizeErrorCode = "access_denied" |
||||
// ErrorCodeUnsupportedResponseType represents the according error in RFC 6749
|
||||
ErrorCodeUnsupportedResponseType AuthorizeErrorCode = "unsupported_response_type" |
||||
// ErrorCodeInvalidScope represents the according error in RFC 6749
|
||||
ErrorCodeInvalidScope AuthorizeErrorCode = "invalid_scope" |
||||
// ErrorCodeServerError represents the according error in RFC 6749
|
||||
ErrorCodeServerError AuthorizeErrorCode = "server_error" |
||||
// ErrorCodeTemporaryUnavailable represents the according error in RFC 6749
|
||||
ErrorCodeTemporaryUnavailable AuthorizeErrorCode = "temporarily_unavailable" |
||||
) |
||||
|
||||
// AuthorizeError represents an error type specified in RFC 6749
|
||||
// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2.1
|
||||
type AuthorizeError struct { |
||||
ErrorCode AuthorizeErrorCode `json:"error" form:"error"` |
||||
ErrorDescription string |
||||
State string |
||||
} |
||||
|
||||
// Error returns the error message
|
||||
func (err AuthorizeError) Error() string { |
||||
return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription) |
||||
} |
||||
|
||||
// errCallback represents a oauth2 callback error
|
||||
type errCallback struct { |
||||
Code string |
||||
Description string |
||||
} |
||||
|
||||
func (err errCallback) Error() string { |
||||
return err.Description |
||||
} |
||||
|
||||
type userInfoResponse struct { |
||||
Sub string `json:"sub"` |
||||
Name string `json:"name"` |
||||
Username string `json:"preferred_username"` |
||||
Email string `json:"email"` |
||||
Picture string `json:"picture"` |
||||
Groups []string `json:"groups"` |
||||
} |
||||
|
||||
// InfoOAuth manages request for userinfo endpoint
|
||||
func InfoOAuth(ctx *context.Context) { |
||||
if ctx.Doer == nil || ctx.Data["AuthedMethod"] != (&auth_service.OAuth2{}).Name() { |
||||
ctx.Resp.Header().Set("WWW-Authenticate", `Bearer realm=""`) |
||||
ctx.PlainText(http.StatusUnauthorized, "no valid authorization") |
||||
return |
||||
} |
||||
|
||||
response := &userInfoResponse{ |
||||
Sub: fmt.Sprint(ctx.Doer.ID), |
||||
Name: ctx.Doer.FullName, |
||||
Username: ctx.Doer.Name, |
||||
Email: ctx.Doer.Email, |
||||
Picture: ctx.Doer.AvatarLink(ctx), |
||||
} |
||||
|
||||
groups, err := oauth2_provider.GetOAuthGroupsForUser(ctx, ctx.Doer) |
||||
if err != nil { |
||||
ctx.ServerError("Oauth groups for user", err) |
||||
return |
||||
} |
||||
response.Groups = groups |
||||
|
||||
ctx.JSON(http.StatusOK, response) |
||||
} |
||||
|
||||
func parseBasicAuth(ctx *context.Context) (username, password string, err error) { |
||||
authHeader := ctx.Req.Header.Get("Authorization") |
||||
if authType, authData, ok := strings.Cut(authHeader, " "); ok && strings.EqualFold(authType, "Basic") { |
||||
return base.BasicAuthDecode(authData) |
||||
} |
||||
return "", "", errors.New("invalid basic authentication") |
||||
} |
||||
|
||||
// IntrospectOAuth introspects an oauth token
|
||||
func IntrospectOAuth(ctx *context.Context) { |
||||
clientIDValid := false |
||||
if clientID, clientSecret, err := parseBasicAuth(ctx); err == nil { |
||||
app, err := auth.GetOAuth2ApplicationByClientID(ctx, clientID) |
||||
if err != nil && !auth.IsErrOauthClientIDInvalid(err) { |
||||
// this is likely a database error; log it and respond without details
|
||||
log.Error("Error retrieving client_id: %v", err) |
||||
ctx.Error(http.StatusInternalServerError) |
||||
return |
||||
} |
||||
clientIDValid = err == nil && app.ValidateClientSecret([]byte(clientSecret)) |
||||
} |
||||
if !clientIDValid { |
||||
ctx.Resp.Header().Set("WWW-Authenticate", `Basic realm=""`) |
||||
ctx.PlainText(http.StatusUnauthorized, "no valid authorization") |
||||
return |
||||
} |
||||
|
||||
var response struct { |
||||
Active bool `json:"active"` |
||||
Scope string `json:"scope,omitempty"` |
||||
Username string `json:"username,omitempty"` |
||||
jwt.RegisteredClaims |
||||
} |
||||
|
||||
form := web.GetForm(ctx).(*forms.IntrospectTokenForm) |
||||
token, err := oauth2_provider.ParseToken(form.Token, oauth2_provider.DefaultSigningKey) |
||||
if err == nil { |
||||
grant, err := auth.GetOAuth2GrantByID(ctx, token.GrantID) |
||||
if err == nil && grant != nil { |
||||
app, err := auth.GetOAuth2ApplicationByID(ctx, grant.ApplicationID) |
||||
if err == nil && app != nil { |
||||
response.Active = true |
||||
response.Scope = grant.Scope |
||||
response.Issuer = setting.AppURL |
||||
response.Audience = []string{app.ClientID} |
||||
response.Subject = fmt.Sprint(grant.UserID) |
||||
} |
||||
if user, err := user_model.GetUserByID(ctx, grant.UserID); err == nil { |
||||
response.Username = user.Name |
||||
} |
||||
} |
||||
} |
||||
|
||||
ctx.JSON(http.StatusOK, response) |
||||
} |
||||
|
||||
// AuthorizeOAuth manages authorize requests
|
||||
func AuthorizeOAuth(ctx *context.Context) { |
||||
form := web.GetForm(ctx).(*forms.AuthorizationForm) |
||||
errs := binding.Errors{} |
||||
errs = form.Validate(ctx.Req, errs) |
||||
if len(errs) > 0 { |
||||
errstring := "" |
||||
for _, e := range errs { |
||||
errstring += e.Error() + "\n" |
||||
} |
||||
ctx.ServerError("AuthorizeOAuth: Validate: ", fmt.Errorf("errors occurred during validation: %s", errstring)) |
||||
return |
||||
} |
||||
|
||||
app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID) |
||||
if err != nil { |
||||
if auth.IsErrOauthClientIDInvalid(err) { |
||||
handleAuthorizeError(ctx, AuthorizeError{ |
||||
ErrorCode: ErrorCodeUnauthorizedClient, |
||||
ErrorDescription: "Client ID not registered", |
||||
State: form.State, |
||||
}, "") |
||||
return |
||||
} |
||||
ctx.ServerError("GetOAuth2ApplicationByClientID", err) |
||||
return |
||||
} |
||||
|
||||
var user *user_model.User |
||||
if app.UID != 0 { |
||||
user, err = user_model.GetUserByID(ctx, app.UID) |
||||
if err != nil { |
||||
ctx.ServerError("GetUserByID", err) |
||||
return |
||||
} |
||||
} |
||||
|
||||
if !app.ContainsRedirectURI(form.RedirectURI) { |
||||
handleAuthorizeError(ctx, AuthorizeError{ |
||||
ErrorCode: ErrorCodeInvalidRequest, |
||||
ErrorDescription: "Unregistered Redirect URI", |
||||
State: form.State, |
||||
}, "") |
||||
return |
||||
} |
||||
|
||||
if form.ResponseType != "code" { |
||||
handleAuthorizeError(ctx, AuthorizeError{ |
||||
ErrorCode: ErrorCodeUnsupportedResponseType, |
||||
ErrorDescription: "Only code response type is supported.", |
||||
State: form.State, |
||||
}, form.RedirectURI) |
||||
return |
||||
} |
||||
|
||||
// pkce support
|
||||
switch form.CodeChallengeMethod { |
||||
case "S256": |
||||
case "plain": |
||||
if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil { |
||||
handleAuthorizeError(ctx, AuthorizeError{ |
||||
ErrorCode: ErrorCodeServerError, |
||||
ErrorDescription: "cannot set code challenge method", |
||||
State: form.State, |
||||
}, form.RedirectURI) |
||||
return |
||||
} |
||||
if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallenge); err != nil { |
||||
handleAuthorizeError(ctx, AuthorizeError{ |
||||
ErrorCode: ErrorCodeServerError, |
||||
ErrorDescription: "cannot set code challenge", |
||||
State: form.State, |
||||
}, form.RedirectURI) |
||||
return |
||||
} |
||||
// Here we're just going to try to release the session early
|
||||
if err := ctx.Session.Release(); err != nil { |
||||
// we'll tolerate errors here as they *should* get saved elsewhere
|
||||
log.Error("Unable to save changes to the session: %v", err) |
||||
} |
||||
case "": |
||||
// "Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message"
|
||||
// https://datatracker.ietf.org/doc/html/rfc8252#section-8.1
|
||||
if !app.ConfidentialClient { |
||||
// "the authorization endpoint MUST return the authorization error response with the "error" value set to "invalid_request""
|
||||
// https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1
|
||||
handleAuthorizeError(ctx, AuthorizeError{ |
||||
ErrorCode: ErrorCodeInvalidRequest, |
||||
ErrorDescription: "PKCE is required for public clients", |
||||
State: form.State, |
||||
}, form.RedirectURI) |
||||
return |
||||
} |
||||
default: |
||||
// "If the server supporting PKCE does not support the requested transformation, the authorization endpoint MUST return the authorization error response with "error" value set to "invalid_request"."
|
||||
// https://www.rfc-editor.org/rfc/rfc7636#section-4.4.1
|
||||
handleAuthorizeError(ctx, AuthorizeError{ |
||||
ErrorCode: ErrorCodeInvalidRequest, |
||||
ErrorDescription: "unsupported code challenge method", |
||||
State: form.State, |
||||
}, form.RedirectURI) |
||||
return |
||||
} |
||||
|
||||
grant, err := app.GetGrantByUserID(ctx, ctx.Doer.ID) |
||||
if err != nil { |
||||
handleServerError(ctx, form.State, form.RedirectURI) |
||||
return |
||||
} |
||||
|
||||
// Redirect if user already granted access and the application is confidential or trusted otherwise
|
||||
// I.e. always require authorization for untrusted public clients as recommended by RFC 6749 Section 10.2
|
||||
if (app.ConfidentialClient || app.SkipSecondaryAuthorization) && grant != nil { |
||||
code, err := grant.GenerateNewAuthorizationCode(ctx, form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod) |
||||
if err != nil { |
||||
handleServerError(ctx, form.State, form.RedirectURI) |
||||
return |
||||
} |
||||
redirect, err := code.GenerateRedirectURI(form.State) |
||||
if err != nil { |
||||
handleServerError(ctx, form.State, form.RedirectURI) |
||||
return |
||||
} |
||||
// Update nonce to reflect the new session
|
||||
if len(form.Nonce) > 0 { |
||||
err := grant.SetNonce(ctx, form.Nonce) |
||||
if err != nil { |
||||
log.Error("Unable to update nonce: %v", err) |
||||
} |
||||
} |
||||
ctx.Redirect(redirect.String()) |
||||
return |
||||
} |
||||
|
||||
// show authorize page to grant access
|
||||
ctx.Data["Application"] = app |
||||
ctx.Data["RedirectURI"] = form.RedirectURI |
||||
ctx.Data["State"] = form.State |
||||
ctx.Data["Scope"] = form.Scope |
||||
ctx.Data["Nonce"] = form.Nonce |
||||
if user != nil { |
||||
ctx.Data["ApplicationCreatorLinkHTML"] = template.HTML(fmt.Sprintf(`<a href="%s">@%s</a>`, html.EscapeString(user.HomeLink()), html.EscapeString(user.Name))) |
||||
} else { |
||||
ctx.Data["ApplicationCreatorLinkHTML"] = template.HTML(fmt.Sprintf(`<a href="%s">%s</a>`, html.EscapeString(setting.AppSubURL+"/"), html.EscapeString(setting.AppName))) |
||||
} |
||||
ctx.Data["ApplicationRedirectDomainHTML"] = template.HTML("<strong>" + html.EscapeString(form.RedirectURI) + "</strong>") |
||||
// TODO document SESSION <=> FORM
|
||||
err = ctx.Session.Set("client_id", app.ClientID) |
||||
if err != nil { |
||||
handleServerError(ctx, form.State, form.RedirectURI) |
||||
log.Error(err.Error()) |
||||
return |
||||
} |
||||
err = ctx.Session.Set("redirect_uri", form.RedirectURI) |
||||
if err != nil { |
||||
handleServerError(ctx, form.State, form.RedirectURI) |
||||
log.Error(err.Error()) |
||||
return |
||||
} |
||||
err = ctx.Session.Set("state", form.State) |
||||
if err != nil { |
||||
handleServerError(ctx, form.State, form.RedirectURI) |
||||
log.Error(err.Error()) |
||||
return |
||||
} |
||||
// Here we're just going to try to release the session early
|
||||
if err := ctx.Session.Release(); err != nil { |
||||
// we'll tolerate errors here as they *should* get saved elsewhere
|
||||
log.Error("Unable to save changes to the session: %v", err) |
||||
} |
||||
ctx.HTML(http.StatusOK, tplGrantAccess) |
||||
} |
||||
|
||||
// GrantApplicationOAuth manages the post request submitted when a user grants access to an application
|
||||
func GrantApplicationOAuth(ctx *context.Context) { |
||||
form := web.GetForm(ctx).(*forms.GrantApplicationForm) |
||||
if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State || |
||||
ctx.Session.Get("redirect_uri") != form.RedirectURI { |
||||
ctx.Error(http.StatusBadRequest) |
||||
return |
||||
} |
||||
|
||||
if !form.Granted { |
||||
handleAuthorizeError(ctx, AuthorizeError{ |
||||
State: form.State, |
||||
ErrorDescription: "the request is denied", |
||||
ErrorCode: ErrorCodeAccessDenied, |
||||
}, form.RedirectURI) |
||||
return |
||||
} |
||||
|
||||
app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID) |
||||
if err != nil { |
||||
ctx.ServerError("GetOAuth2ApplicationByClientID", err) |
||||
return |
||||
} |
||||
grant, err := app.GetGrantByUserID(ctx, ctx.Doer.ID) |
||||
if err != nil { |
||||
handleServerError(ctx, form.State, form.RedirectURI) |
||||
return |
||||
} |
||||
if grant == nil { |
||||
grant, err = app.CreateGrant(ctx, ctx.Doer.ID, form.Scope) |
||||
if err != nil { |
||||
handleAuthorizeError(ctx, AuthorizeError{ |
||||
State: form.State, |
||||
ErrorDescription: "cannot create grant for user", |
||||
ErrorCode: ErrorCodeServerError, |
||||
}, form.RedirectURI) |
||||
return |
||||
} |
||||
} else if grant.Scope != form.Scope { |
||||
handleAuthorizeError(ctx, AuthorizeError{ |
||||
State: form.State, |
||||
ErrorDescription: "a grant exists with different scope", |
||||
ErrorCode: ErrorCodeServerError, |
||||
}, form.RedirectURI) |
||||
return |
||||
} |
||||
|
||||
if len(form.Nonce) > 0 { |
||||
err := grant.SetNonce(ctx, form.Nonce) |
||||
if err != nil { |
||||
log.Error("Unable to update nonce: %v", err) |
||||
} |
||||
} |
||||
|
||||
var codeChallenge, codeChallengeMethod string |
||||
codeChallenge, _ = ctx.Session.Get("CodeChallenge").(string) |
||||
codeChallengeMethod, _ = ctx.Session.Get("CodeChallengeMethod").(string) |
||||
|
||||
code, err := grant.GenerateNewAuthorizationCode(ctx, form.RedirectURI, codeChallenge, codeChallengeMethod) |
||||
if err != nil { |
||||
handleServerError(ctx, form.State, form.RedirectURI) |
||||
return |
||||
} |
||||
redirect, err := code.GenerateRedirectURI(form.State) |
||||
if err != nil { |
||||
handleServerError(ctx, form.State, form.RedirectURI) |
||||
return |
||||
} |
||||
ctx.Redirect(redirect.String(), http.StatusSeeOther) |
||||
} |
||||
|
||||
// OIDCWellKnown generates JSON so OIDC clients know Gitea's capabilities
|
||||
func OIDCWellKnown(ctx *context.Context) { |
||||
ctx.Data["SigningKey"] = oauth2_provider.DefaultSigningKey |
||||
ctx.JSONTemplate("user/auth/oidc_wellknown") |
||||
} |
||||
|
||||
// OIDCKeys generates the JSON Web Key Set
|
||||
func OIDCKeys(ctx *context.Context) { |
||||
jwk, err := oauth2_provider.DefaultSigningKey.ToJWK() |
||||
if err != nil { |
||||
log.Error("Error converting signing key to JWK: %v", err) |
||||
ctx.Error(http.StatusInternalServerError) |
||||
return |
||||
} |
||||
|
||||
jwk["use"] = "sig" |
||||
|
||||
jwks := map[string][]map[string]string{ |
||||
"keys": { |
||||
jwk, |
||||
}, |
||||
} |
||||
|
||||
ctx.Resp.Header().Set("Content-Type", "application/json") |
||||
enc := json.NewEncoder(ctx.Resp) |
||||
if err := enc.Encode(jwks); err != nil { |
||||
log.Error("Failed to encode representation as json. Error: %v", err) |
||||
} |
||||
} |
||||
|
||||
// AccessTokenOAuth manages all access token requests by the client
|
||||
func AccessTokenOAuth(ctx *context.Context) { |
||||
form := *web.GetForm(ctx).(*forms.AccessTokenForm) |
||||
// if there is no ClientID or ClientSecret in the request body, fill these fields by the Authorization header and ensure the provided field matches the Authorization header
|
||||
if form.ClientID == "" || form.ClientSecret == "" { |
||||
authHeader := ctx.Req.Header.Get("Authorization") |
||||
if authType, authData, ok := strings.Cut(authHeader, " "); ok && strings.EqualFold(authType, "Basic") { |
||||
clientID, clientSecret, err := base.BasicAuthDecode(authData) |
||||
if err != nil { |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeInvalidRequest, |
||||
ErrorDescription: "cannot parse basic auth header", |
||||
}) |
||||
return |
||||
} |
||||
// validate that any fields present in the form match the Basic auth header
|
||||
if form.ClientID != "" && form.ClientID != clientID { |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeInvalidRequest, |
||||
ErrorDescription: "client_id in request body inconsistent with Authorization header", |
||||
}) |
||||
return |
||||
} |
||||
form.ClientID = clientID |
||||
if form.ClientSecret != "" && form.ClientSecret != clientSecret { |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeInvalidRequest, |
||||
ErrorDescription: "client_secret in request body inconsistent with Authorization header", |
||||
}) |
||||
return |
||||
} |
||||
form.ClientSecret = clientSecret |
||||
} |
||||
} |
||||
|
||||
serverKey := oauth2_provider.DefaultSigningKey |
||||
clientKey := serverKey |
||||
if serverKey.IsSymmetric() { |
||||
var err error |
||||
clientKey, err = oauth2_provider.CreateJWTSigningKey(serverKey.SigningMethod().Alg(), []byte(form.ClientSecret)) |
||||
if err != nil { |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeInvalidRequest, |
||||
ErrorDescription: "Error creating signing key", |
||||
}) |
||||
return |
||||
} |
||||
} |
||||
|
||||
switch form.GrantType { |
||||
case "refresh_token": |
||||
handleRefreshToken(ctx, form, serverKey, clientKey) |
||||
case "authorization_code": |
||||
handleAuthorizationCode(ctx, form, serverKey, clientKey) |
||||
default: |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeUnsupportedGrantType, |
||||
ErrorDescription: "Only refresh_token or authorization_code grant type is supported", |
||||
}) |
||||
} |
||||
} |
||||
|
||||
func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2_provider.JWTSigningKey) { |
||||
app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID) |
||||
if err != nil { |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeInvalidClient, |
||||
ErrorDescription: fmt.Sprintf("cannot load client with client id: %q", form.ClientID), |
||||
}) |
||||
return |
||||
} |
||||
// "The authorization server MUST ... require client authentication for confidential clients"
|
||||
// https://datatracker.ietf.org/doc/html/rfc6749#section-6
|
||||
if app.ConfidentialClient && !app.ValidateClientSecret([]byte(form.ClientSecret)) { |
||||
errorDescription := "invalid client secret" |
||||
if form.ClientSecret == "" { |
||||
errorDescription = "invalid empty client secret" |
||||
} |
||||
// "invalid_client ... Client authentication failed"
|
||||
// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
|
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeInvalidClient, |
||||
ErrorDescription: errorDescription, |
||||
}) |
||||
return |
||||
} |
||||
|
||||
token, err := oauth2_provider.ParseToken(form.RefreshToken, serverKey) |
||||
if err != nil { |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeUnauthorizedClient, |
||||
ErrorDescription: "unable to parse refresh token", |
||||
}) |
||||
return |
||||
} |
||||
// get grant before increasing counter
|
||||
grant, err := auth.GetOAuth2GrantByID(ctx, token.GrantID) |
||||
if err != nil || grant == nil { |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeInvalidGrant, |
||||
ErrorDescription: "grant does not exist", |
||||
}) |
||||
return |
||||
} |
||||
|
||||
// check if token got already used
|
||||
if setting.OAuth2.InvalidateRefreshTokens && (grant.Counter != token.Counter || token.Counter == 0) { |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeUnauthorizedClient, |
||||
ErrorDescription: "token was already used", |
||||
}) |
||||
log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID) |
||||
return |
||||
} |
||||
accessToken, tokenErr := oauth2_provider.NewAccessTokenResponse(ctx, grant, serverKey, clientKey) |
||||
if tokenErr != nil { |
||||
handleAccessTokenError(ctx, *tokenErr) |
||||
return |
||||
} |
||||
ctx.JSON(http.StatusOK, accessToken) |
||||
} |
||||
|
||||
func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, serverKey, clientKey oauth2_provider.JWTSigningKey) { |
||||
app, err := auth.GetOAuth2ApplicationByClientID(ctx, form.ClientID) |
||||
if err != nil { |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeInvalidClient, |
||||
ErrorDescription: fmt.Sprintf("cannot load client with client id: '%s'", form.ClientID), |
||||
}) |
||||
return |
||||
} |
||||
if app.ConfidentialClient && !app.ValidateClientSecret([]byte(form.ClientSecret)) { |
||||
errorDescription := "invalid client secret" |
||||
if form.ClientSecret == "" { |
||||
errorDescription = "invalid empty client secret" |
||||
} |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeUnauthorizedClient, |
||||
ErrorDescription: errorDescription, |
||||
}) |
||||
return |
||||
} |
||||
if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) { |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeUnauthorizedClient, |
||||
ErrorDescription: "unexpected redirect URI", |
||||
}) |
||||
return |
||||
} |
||||
authorizationCode, err := auth.GetOAuth2AuthorizationByCode(ctx, form.Code) |
||||
if err != nil || authorizationCode == nil { |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeUnauthorizedClient, |
||||
ErrorDescription: "client is not authorized", |
||||
}) |
||||
return |
||||
} |
||||
// check if code verifier authorizes the client, PKCE support
|
||||
if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) { |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeUnauthorizedClient, |
||||
ErrorDescription: "failed PKCE code challenge", |
||||
}) |
||||
return |
||||
} |
||||
// check if granted for this application
|
||||
if authorizationCode.Grant.ApplicationID != app.ID { |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeInvalidGrant, |
||||
ErrorDescription: "invalid grant", |
||||
}) |
||||
return |
||||
} |
||||
// remove token from database to deny duplicate usage
|
||||
if err := authorizationCode.Invalidate(ctx); err != nil { |
||||
handleAccessTokenError(ctx, oauth2_provider.AccessTokenError{ |
||||
ErrorCode: oauth2_provider.AccessTokenErrorCodeInvalidRequest, |
||||
ErrorDescription: "cannot proceed your request", |
||||
}) |
||||
} |
||||
resp, tokenErr := oauth2_provider.NewAccessTokenResponse(ctx, authorizationCode.Grant, serverKey, clientKey) |
||||
if tokenErr != nil { |
||||
handleAccessTokenError(ctx, *tokenErr) |
||||
return |
||||
} |
||||
// send successful response
|
||||
ctx.JSON(http.StatusOK, resp) |
||||
} |
||||
|
||||
func handleAccessTokenError(ctx *context.Context, acErr oauth2_provider.AccessTokenError) { |
||||
ctx.JSON(http.StatusBadRequest, acErr) |
||||
} |
||||
|
||||
func handleServerError(ctx *context.Context, state, redirectURI string) { |
||||
handleAuthorizeError(ctx, AuthorizeError{ |
||||
ErrorCode: ErrorCodeServerError, |
||||
ErrorDescription: "A server error occurred", |
||||
State: state, |
||||
}, redirectURI) |
||||
} |
||||
|
||||
func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirectURI string) { |
||||
if redirectURI == "" { |
||||
log.Warn("Authorization failed: %v", authErr.ErrorDescription) |
||||
ctx.Data["Error"] = authErr |
||||
ctx.HTML(http.StatusBadRequest, tplGrantError) |
||||
return |
||||
} |
||||
redirect, err := url.Parse(redirectURI) |
||||
if err != nil { |
||||
ctx.ServerError("url.Parse", err) |
||||
return |
||||
} |
||||
q := redirect.Query() |
||||
q.Set("error", string(authErr.ErrorCode)) |
||||
q.Set("error_description", authErr.ErrorDescription) |
||||
q.Set("state", authErr.State) |
||||
redirect.RawQuery = q.Encode() |
||||
ctx.Redirect(redirect.String(), http.StatusSeeOther) |
||||
} |
||||
@ -0,0 +1,214 @@ |
||||
// Copyright 2024 The Gitea Authors. All rights reserved.
|
||||
// SPDX-License-Identifier: MIT
|
||||
|
||||
package oauth2_provider //nolint
|
||||
|
||||
import ( |
||||
"context" |
||||
"fmt" |
||||
|
||||
auth "code.gitea.io/gitea/models/auth" |
||||
org_model "code.gitea.io/gitea/models/organization" |
||||
user_model "code.gitea.io/gitea/models/user" |
||||
"code.gitea.io/gitea/modules/log" |
||||
"code.gitea.io/gitea/modules/setting" |
||||
"code.gitea.io/gitea/modules/timeutil" |
||||
|
||||
"github.com/golang-jwt/jwt/v5" |
||||
) |
||||
|
||||
// AccessTokenErrorCode represents an error code specified in RFC 6749
|
||||
// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
|
||||
type AccessTokenErrorCode string |
||||
|
||||
const ( |
||||
// AccessTokenErrorCodeInvalidRequest represents an error code specified in RFC 6749
|
||||
AccessTokenErrorCodeInvalidRequest AccessTokenErrorCode = "invalid_request" |
||||
// AccessTokenErrorCodeInvalidClient represents an error code specified in RFC 6749
|
||||
AccessTokenErrorCodeInvalidClient = "invalid_client" |
||||
// AccessTokenErrorCodeInvalidGrant represents an error code specified in RFC 6749
|
||||
AccessTokenErrorCodeInvalidGrant = "invalid_grant" |
||||
// AccessTokenErrorCodeUnauthorizedClient represents an error code specified in RFC 6749
|
||||
AccessTokenErrorCodeUnauthorizedClient = "unauthorized_client" |
||||
// AccessTokenErrorCodeUnsupportedGrantType represents an error code specified in RFC 6749
|
||||
AccessTokenErrorCodeUnsupportedGrantType = "unsupported_grant_type" |
||||
// AccessTokenErrorCodeInvalidScope represents an error code specified in RFC 6749
|
||||
AccessTokenErrorCodeInvalidScope = "invalid_scope" |
||||
) |
||||
|
||||
// AccessTokenError represents an error response specified in RFC 6749
|
||||
// https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
|
||||
type AccessTokenError struct { |
||||
ErrorCode AccessTokenErrorCode `json:"error" form:"error"` |
||||
ErrorDescription string `json:"error_description"` |
||||
} |
||||
|
||||
// Error returns the error message
|
||||
func (err AccessTokenError) Error() string { |
||||
return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription) |
||||
} |
||||
|
||||
// TokenType specifies the kind of token
|
||||
type TokenType string |
||||
|
||||
const ( |
||||
// TokenTypeBearer represents a token type specified in RFC 6749
|
||||
TokenTypeBearer TokenType = "bearer" |
||||
// TokenTypeMAC represents a token type specified in RFC 6749
|
||||
TokenTypeMAC = "mac" |
||||
) |
||||
|
||||
// AccessTokenResponse represents a successful access token response
|
||||
// https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2
|
||||
type AccessTokenResponse struct { |
||||
AccessToken string `json:"access_token"` |
||||
TokenType TokenType `json:"token_type"` |
||||
ExpiresIn int64 `json:"expires_in"` |
||||
RefreshToken string `json:"refresh_token"` |
||||
IDToken string `json:"id_token,omitempty"` |
||||
} |
||||
|
||||
func NewAccessTokenResponse(ctx context.Context, grant *auth.OAuth2Grant, serverKey, clientKey JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) { |
||||
if setting.OAuth2.InvalidateRefreshTokens { |
||||
if err := grant.IncreaseCounter(ctx); err != nil { |
||||
return nil, &AccessTokenError{ |
||||
ErrorCode: AccessTokenErrorCodeInvalidGrant, |
||||
ErrorDescription: "cannot increase the grant counter", |
||||
} |
||||
} |
||||
} |
||||
// generate access token to access the API
|
||||
expirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.AccessTokenExpirationTime) |
||||
accessToken := &Token{ |
||||
GrantID: grant.ID, |
||||
Kind: KindAccessToken, |
||||
RegisteredClaims: jwt.RegisteredClaims{ |
||||
ExpiresAt: jwt.NewNumericDate(expirationDate.AsTime()), |
||||
}, |
||||
} |
||||
signedAccessToken, err := accessToken.SignToken(serverKey) |
||||
if err != nil { |
||||
return nil, &AccessTokenError{ |
||||
ErrorCode: AccessTokenErrorCodeInvalidRequest, |
||||
ErrorDescription: "cannot sign token", |
||||
} |
||||
} |
||||
|
||||
// generate refresh token to request an access token after it expired later
|
||||
refreshExpirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime() |
||||
refreshToken := &Token{ |
||||
GrantID: grant.ID, |
||||
Counter: grant.Counter, |
||||
Kind: KindRefreshToken, |
||||
RegisteredClaims: jwt.RegisteredClaims{ |
||||
ExpiresAt: jwt.NewNumericDate(refreshExpirationDate), |
||||
}, |
||||
} |
||||
signedRefreshToken, err := refreshToken.SignToken(serverKey) |
||||
if err != nil { |
||||
return nil, &AccessTokenError{ |
||||
ErrorCode: AccessTokenErrorCodeInvalidRequest, |
||||
ErrorDescription: "cannot sign token", |
||||
} |
||||
} |
||||
|
||||
// generate OpenID Connect id_token
|
||||
signedIDToken := "" |
||||
if grant.ScopeContains("openid") { |
||||
app, err := auth.GetOAuth2ApplicationByID(ctx, grant.ApplicationID) |
||||
if err != nil { |
||||
return nil, &AccessTokenError{ |
||||
ErrorCode: AccessTokenErrorCodeInvalidRequest, |
||||
ErrorDescription: "cannot find application", |
||||
} |
||||
} |
||||
user, err := user_model.GetUserByID(ctx, grant.UserID) |
||||
if err != nil { |
||||
if user_model.IsErrUserNotExist(err) { |
||||
return nil, &AccessTokenError{ |
||||
ErrorCode: AccessTokenErrorCodeInvalidRequest, |
||||
ErrorDescription: "cannot find user", |
||||
} |
||||
} |
||||
log.Error("Error loading user: %v", err) |
||||
return nil, &AccessTokenError{ |
||||
ErrorCode: AccessTokenErrorCodeInvalidRequest, |
||||
ErrorDescription: "server error", |
||||
} |
||||
} |
||||
|
||||
idToken := &OIDCToken{ |
||||
RegisteredClaims: jwt.RegisteredClaims{ |
||||
ExpiresAt: jwt.NewNumericDate(expirationDate.AsTime()), |
||||
Issuer: setting.AppURL, |
||||
Audience: []string{app.ClientID}, |
||||
Subject: fmt.Sprint(grant.UserID), |
||||
}, |
||||
Nonce: grant.Nonce, |
||||
} |
||||
if grant.ScopeContains("profile") { |
||||
idToken.Name = user.GetDisplayName() |
||||
idToken.PreferredUsername = user.Name |
||||
idToken.Profile = user.HTMLURL() |
||||
idToken.Picture = user.AvatarLink(ctx) |
||||
idToken.Website = user.Website |
||||
idToken.Locale = user.Language |
||||
idToken.UpdatedAt = user.UpdatedUnix |
||||
} |
||||
if grant.ScopeContains("email") { |
||||
idToken.Email = user.Email |
||||
idToken.EmailVerified = user.IsActive |
||||
} |
||||
if grant.ScopeContains("groups") { |
||||
groups, err := GetOAuthGroupsForUser(ctx, user) |
||||
if err != nil { |
||||
log.Error("Error getting groups: %v", err) |
||||
return nil, &AccessTokenError{ |
||||
ErrorCode: AccessTokenErrorCodeInvalidRequest, |
||||
ErrorDescription: "server error", |
||||
} |
||||
} |
||||
idToken.Groups = groups |
||||
} |
||||
|
||||
signedIDToken, err = idToken.SignToken(clientKey) |
||||
if err != nil { |
||||
return nil, &AccessTokenError{ |
||||
ErrorCode: AccessTokenErrorCodeInvalidRequest, |
||||
ErrorDescription: "cannot sign token", |
||||
} |
||||
} |
||||
} |
||||
|
||||
return &AccessTokenResponse{ |
||||
AccessToken: signedAccessToken, |
||||
TokenType: TokenTypeBearer, |
||||
ExpiresIn: setting.OAuth2.AccessTokenExpirationTime, |
||||
RefreshToken: signedRefreshToken, |
||||
IDToken: signedIDToken, |
||||
}, nil |
||||
} |
||||
|
||||
// returns a list of "org" and "org:team" strings,
|
||||
// that the given user is a part of.
|
||||
func GetOAuthGroupsForUser(ctx context.Context, user *user_model.User) ([]string, error) { |
||||
orgs, err := org_model.GetUserOrgsList(ctx, user) |
||||
if err != nil { |
||||
return nil, fmt.Errorf("GetUserOrgList: %w", err) |
||||
} |
||||
|
||||
var groups []string |
||||
for _, org := range orgs { |
||||
groups = append(groups, org.Name) |
||||
teams, err := org.LoadTeams(ctx) |
||||
if err != nil { |
||||
return nil, fmt.Errorf("LoadTeams: %w", err) |
||||
} |
||||
for _, team := range teams { |
||||
if team.IsMember(ctx, user.ID) { |
||||
groups = append(groups, org.Name+":"+team.LowerName) |
||||
} |
||||
} |
||||
} |
||||
return groups, nil |
||||
} |
||||
@ -0,0 +1,19 @@ |
||||
// Copyright 2024 The Gitea Authors. All rights reserved.
|
||||
// SPDX-License-Identifier: MIT
|
||||
|
||||
package oauth2_provider //nolint
|
||||
|
||||
import ( |
||||
"context" |
||||
|
||||
"code.gitea.io/gitea/modules/setting" |
||||
) |
||||
|
||||
// Init initializes the oauth source
|
||||
func Init(ctx context.Context) error { |
||||
if !setting.OAuth2.Enabled { |
||||
return nil |
||||
} |
||||
|
||||
return InitSigningKey() |
||||
} |
||||
@ -1,7 +1,7 @@ |
||||
// Copyright 2021 The Gitea Authors. All rights reserved.
|
||||
// SPDX-License-Identifier: MIT
|
||||
|
||||
package oauth2 |
||||
package oauth2_provider //nolint
|
||||
|
||||
import ( |
||||
"crypto/ecdsa" |
||||
Loading…
Reference in new issue