From 677131213333202f12b323569f286be7eb9d6714 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Wed, 22 May 2024 16:37:00 +0200 Subject: [PATCH] Revert "Prevent automatic OAuth grants for public clients (#30790) (#30836)" This reverts commit 248a5b8d7a20311e89c7bfa46dd4efb4a0576a95. This commit introduces a regression descrdibed at https://github.com/go-gitea/gitea/pull/30790#issuecomment-2118812426 There is a commit to try and fix it, but it is similarly untested. Let's not accumulate regressions and wait until it is either field tested by humans in Gitea or a test is written. https://github.com/go-gitea/gitea/pull/31015/files --- routers/web/auth/oauth.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index ca19d1ea16..f5ca0bda5e 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -469,9 +469,8 @@ func AuthorizeOAuth(ctx *context.Context) { return } - // Redirect if user already granted access and the application is confidential. - // I.e. always require authorization for public clients as recommended by RFC 6749 Section 10.2 - if app.ConfidentialClient && grant != nil { + // Redirect if user already granted access + if grant != nil { code, err := grant.GenerateNewAuthorizationCode(ctx, form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod) if err != nil { handleServerError(ctx, form.State, form.RedirectURI)