Address review comments

hickford · hickford · commit d7f3ccbd2ef5 · 2022-10-06T06:22:25.000+01:00
Require PKCE for public clients
diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
@@ -31,7 +31,10 @@ type OAuth2Application struct {
 	Name         string
 	ClientID     string `xorm:"unique"`
 	ClientSecret string
+	// OAuth defines both Confidential and Public client types
 	// https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
+	// "Authorization servers MUST record the client type in the client registration details"
+	// https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
 	Confidential bool               `xorm:"NOT NULL DEFAULT TRUE"`
 	RedirectURIs []string           `xorm:"redirect_uris JSON TEXT"`
 	CreatedUnix  timeutil.TimeStamp `xorm:"INDEX created"`
diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
@@ -430,8 +430,21 @@ func AuthorizeOAuth(ctx *context.Context) {
 			log.Error("Unable to save changes to the session: %v", err)
 		}
 	case "":
-		break
+		// "Authorization servers SHOULD reject authorization requests from native apps that don't use PKCE by returning an error message"
+		// https://datatracker.ietf.org/doc/html/rfc8252#section-8.1
+		if !app.Confidential {
+			// "the authorization endpoint MUST return the authorization error response with the "error" value set to "invalid_request""
+			// https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1
+			handleAuthorizeError(ctx, AuthorizeError{
+				ErrorCode:        ErrorCodeInvalidRequest,
+				ErrorDescription: "",
+				State:            form.State,
+			}, form.RedirectURI)
+		}
+		return
 	default:
+		// "If the server supporting PKCE does not support the requested transformation, the authorization endpoint MUST return the authorization error response with "error" value set to "invalid_request"."
+		// https://www.rfc-editor.org/rfc/rfc7636#section-4.4.1
 		handleAuthorizeError(ctx, AuthorizeError{
 			ErrorCode:        ErrorCodeInvalidRequest,
 			ErrorDescription: "unsupported code challenge method",
@@ -685,7 +698,7 @@ func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm, s
 		})
 		return
 	}
-	if app.Confidential && !app.ValidateClientSecret([]byte(form.ClientSecret)) {
+	if !app.ValidateClientSecret([]byte(form.ClientSecret)) {
 		handleAccessTokenError(ctx, AccessTokenError{
 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,
 			ErrorDescription: "invalid client secret",
