Support for OAuth client type public, ie. native apps

Author: hickford

docs/content/doc/developers/oauth2-provider.md

@@ -44,6 +44,12 @@ To use the Authorization Code Grant as a third party application it is required
 
 Currently Gitea does not support scopes (see [#4300](https://github.com/go-gitea/gitea/issues/4300)) and all third party applications will be granted access to all resources of the user and their organizations.
 
+## Client types
+
+Gitea supports both confidential and public client types, [as defined by RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1).
+
+For public clients, a redirect URI of a loopback IP address such as `http://127.0.0.1/` allows any port. Avoid using `localhost`, [as recommended by RFC 8252](https://datatracker.ietf.org/doc/html/rfc8252#section-8.3).
+
 ## Example
 
 **Note:** This example does not use PKCE.

models/auth/oauth2.go

@@ -31,6 +31,8 @@ type OAuth2Application struct {
 	Name         string
 	ClientID     string `xorm:"unique"`
 	ClientSecret string
+	// https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
+	Confidential bool               `xorm:"NOT NULL DEFAULT TRUE"`
 	RedirectURIs []string           `xorm:"redirect_uris JSON TEXT"`
 	CreatedUnix  timeutil.TimeStamp `xorm:"INDEX created"`
 	UpdatedUnix  timeutil.TimeStamp `xorm:"INDEX updated"`
@@ -57,15 +59,17 @@ func (app *OAuth2Application) PrimaryRedirectURI() string {
 
 // ContainsRedirectURI checks if redirectURI is allowed for app
 func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
-	uri, err := url.Parse(redirectURI)
-	// ignore port for http loopback uris following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
-	if err == nil && uri.Scheme == "http" && uri.Port() != "" {
-		ip := net.ParseIP(uri.Hostname())
-		if ip != nil && ip.IsLoopback() {
-			// strip port
-			uri.Host = uri.Hostname()
-			if util.IsStringInSlice(uri.String(), app.RedirectURIs, true) {
-				return true
+	if !app.Confidential {
+		uri, err := url.Parse(redirectURI)
+		// ignore port for http loopback uris following https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
+		if err == nil && uri.Scheme == "http" && uri.Port() != "" {
+			ip := net.ParseIP(uri.Hostname())
+			if ip != nil && ip.IsLoopback() {
+				// strip port
+				uri.Host = uri.Hostname()
+				if util.IsStringInSlice(uri.String(), app.RedirectURIs, true) {
+					return true
+				}
 			}
 		}
 	}
@@ -163,6 +167,7 @@ func GetOAuth2ApplicationsByUserID(ctx context.Context, userID int64) (apps []*O
 type CreateOAuth2ApplicationOptions struct {
 	Name         string
 	UserID       int64
+	Confidential bool
 	RedirectURIs []string
 }
 
@@ -174,6 +179,7 @@ func CreateOAuth2Application(ctx context.Context, opts CreateOAuth2ApplicationOp
 		Name:         opts.Name,
 		ClientID:     clientID,
 		RedirectURIs: opts.RedirectURIs,
+		Confidential: opts.Confidential,
 	}
 	if err := db.Insert(ctx, app); err != nil {
 		return nil, err
@@ -186,6 +192,7 @@ type UpdateOAuth2ApplicationOptions struct {
 	ID           int64
 	Name         string
 	UserID       int64
+	Confidential bool
 	RedirectURIs []string
 }
 
@@ -207,6 +214,7 @@ func UpdateOAuth2Application(opts UpdateOAuth2ApplicationOptions) (*OAuth2Applic
 
 	app.Name = opts.Name
 	app.RedirectURIs = opts.RedirectURIs
+	app.Confidential = opts.Confidential
 
 	if err = updateOAuth2Application(ctx, app); err != nil {
 		return nil, err
@@ -217,7 +225,7 @@ func UpdateOAuth2Application(opts UpdateOAuth2ApplicationOptions) (*OAuth2Applic
 }
 
 func updateOAuth2Application(ctx context.Context, app *OAuth2Application) error {
-	if _, err := db.GetEngine(ctx).ID(app.ID).Update(app); err != nil {
+	if _, err := db.GetEngine(ctx).ID(app.ID).UseBool("Confidential").Update(app); err != nil {
 		return err
 	}
 	return nil

models/auth/oauth2_test.go

@@ -46,6 +46,7 @@ func TestOAuth2Application_ContainsRedirectURI(t *testing.T) {
 func TestOAuth2Application_ContainsRedirectURI_WithPort(t *testing.T) {
 	app := &auth_model.OAuth2Application{
 		RedirectURIs: []string{"http://127.0.0.1/", "http://::1/", "http://192.168.0.1/", "http://intranet/", "https://127.0.0.1/"},
+		Confidential: false,
 	}
 
 	// http loopback uris should ignore port

models/fixtures/oauth2_application.yml

@@ -7,3 +7,14 @@
   redirect_uris: '["a"]'
   created_unix: 1546869730
   updated_unix: 1546869730
+  confidential: true
+-
+  id: 2
+  uid: 2
+  name: "Test native app"
+  client_id: "ce5a1322-42a7-11ed-b878-0242ac120002"
+  client_secret: "$2a$10$UYRgUSgekzBp6hYe8pAdc.cgB4Gn06QRKsORUnIYTYQADs.YR/uvi" # bcrypt of "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=
+  redirect_uris: '["http://127.0.0.1"]'
+  created_unix: 1546869730
+  updated_unix: 1546869730
+  confidential: false

models/fixtures/oauth2_authorization_code.yml

@@ -6,3 +6,10 @@
   redirect_uri: "a"
   valid_until: 3546869730
 
+- id: 2
+  grant_id: 4
+  code: "authcodepublic"
+  code_challenge: "CjvyTLSdR47G5zYenDA-eDWW4lRrO8yvjcWwbD_deOg" # Code Verifier: N1Zo9-8Rfwhkt68r1r29ty8YwIraXR8eh_1Qwxg7yQXsonBt
+  code_challenge_method: "S256"
+  redirect_uri: "http://127.0.0.1/"
+  valid_until: 3546869730

models/fixtures/oauth2_grant.yml

@@ -20,4 +20,12 @@
   counter: 1
   scope: "openid profile email"
   created_unix: 1546869730
-  updated_unix: 1546869730
+  updated_unix: 1546869730
+
+- id: 4
+  user_id: 99
+  application_id: 2
+  counter: 1
+  scope: "whatever"
+  created_unix: 1546869730
+  updated_unix: 1546869730

models/migrations/migrations.go

@@ -413,6 +413,8 @@ var migrations = []Migration{
 	NewMigration("Add badges to users", createUserBadgesTable),
 	// v225 -> v226
 	NewMigration("Alter gpg_key/public_key content TEXT fields to MEDIUMTEXT", alterPublicGPGKeyContentFieldsToMediumText),
+	// v226 -> v227
+	NewMigration("Add confidential column default true to OAuth2Application table", addConfidentialColumnToOAuth2ApplicationTable),
 }
 
 // GetCurrentDBVersion returns the current db version

models/migrations/v226.go

@@ -0,0 +1,27 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"code.gitea.io/gitea/modules/timeutil"
+	"xorm.io/xorm"
+)
+
+// addConfidentialColumnToOAuth2ApplicationTable: add Confidential column, setting existing rows to true
+func addConfidentialColumnToOAuth2ApplicationTable(x *xorm.Engine) error {
+	type OAuth2Application struct {
+		ID           int64 `xorm:"pk autoincr"`
+		UID          int64 `xorm:"INDEX"`
+		Name         string
+		ClientID     string `xorm:"unique"`
+		ClientSecret string
+		Confidential bool               `xorm:"NOT NULL DEFAULT TRUE"`
+		RedirectURIs []string           `xorm:"redirect_uris JSON TEXT"`
+		CreatedUnix  timeutil.TimeStamp `xorm:"INDEX created"`
+		UpdatedUnix  timeutil.TimeStamp `xorm:"INDEX updated"`
+	}
+
+	return x.Sync(new(OAuth2Application))
+}

modules/convert/convert.go

@@ -396,6 +396,7 @@ func ToOAuth2Application(app *auth.OAuth2Application) *api.OAuth2Application {
 		Name:         app.Name,
 		ClientID:     app.ClientID,
 		ClientSecret: app.ClientSecret,
+		Confidential: app.Confidential,
 		RedirectURIs: app.RedirectURIs,
 		Created:      app.CreatedUnix.AsTime(),
 	}

modules/structs/user_app.go

@@ -31,6 +31,7 @@ type CreateAccessTokenOption struct {
 // CreateOAuth2ApplicationOptions holds options to create an oauth2 application
 type CreateOAuth2ApplicationOptions struct {
 	Name         string   `json:"name" binding:"Required"`
+	Confidential bool     `json:"confidential"`
 	RedirectURIs []string `json:"redirect_uris" binding:"Required"`
 }
 
@@ -41,6 +42,7 @@ type OAuth2Application struct {
 	Name         string    `json:"name"`
 	ClientID     string    `json:"client_id"`
 	ClientSecret string    `json:"client_secret"`
+	Confidential bool      `json:"confidential"`
 	RedirectURIs []string  `json:"redirect_uris"`
 	Created      time.Time `json:"created"`
 }