add skip secondary authorization option for public oauth2 clients (#31454)

models/auth/oauth2.go

@@ -38,6 +38,7 @@ type OAuth2Application struct {
 	// "Authorization servers MUST record the client type in the client registration details"
 	// https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
 	ConfidentialClient         bool               `xorm:"NOT NULL DEFAULT TRUE"`
+	SkipSecondaryAuthorization bool               `xorm:"NOT NULL DEFAULT FALSE"`
 	RedirectURIs               []string           `xorm:"redirect_uris JSON TEXT"`
 	CreatedUnix                timeutil.TimeStamp `xorm:"INDEX created"`
 	UpdatedUnix                timeutil.TimeStamp `xorm:"INDEX updated"`
@@ -254,6 +255,7 @@ type CreateOAuth2ApplicationOptions struct {
 	Name                       string
 	UserID                     int64
 	ConfidentialClient         bool
+	SkipSecondaryAuthorization bool
 	RedirectURIs               []string
 }
 
@@ -266,6 +268,7 @@ func CreateOAuth2Application(ctx context.Context, opts CreateOAuth2ApplicationOp
 		ClientID:                   clientID,
 		RedirectURIs:               opts.RedirectURIs,
 		ConfidentialClient:         opts.ConfidentialClient,
+		SkipSecondaryAuthorization: opts.SkipSecondaryAuthorization,
 	}
 	if err := db.Insert(ctx, app); err != nil {
 		return nil, err
@@ -279,6 +282,7 @@ type UpdateOAuth2ApplicationOptions struct {
 	Name                       string
 	UserID                     int64
 	ConfidentialClient         bool
+	SkipSecondaryAuthorization bool
 	RedirectURIs               []string
 }
 
@@ -305,6 +309,7 @@ func UpdateOAuth2Application(ctx context.Context, opts UpdateOAuth2ApplicationOp
 	app.Name = opts.Name
 	app.RedirectURIs = opts.RedirectURIs
 	app.ConfidentialClient = opts.ConfidentialClient
+	app.SkipSecondaryAuthorization = opts.SkipSecondaryAuthorization
 
 	if err = updateOAuth2Application(ctx, app); err != nil {
 		return nil, err
@@ -315,7 +320,7 @@ func UpdateOAuth2Application(ctx context.Context, opts UpdateOAuth2ApplicationOp
 }
 
 func updateOAuth2Application(ctx context.Context, app *OAuth2Application) error {
-	if _, err := db.GetEngine(ctx).ID(app.ID).UseBool("confidential_client").Update(app); err != nil {
+	if _, err := db.GetEngine(ctx).ID(app.ID).UseBool("confidential_client", "skip_secondary_authorization").Update(app); err != nil {
 		return err
 	}
 	return nil

models/migrations/migrations.go

@@ -593,6 +593,8 @@ var migrations = []Migration{
 	NewMigration("Add content version to issue and comment table", v1_23.AddContentVersionToIssueAndComment),
 	// v300 -> v301
 	NewMigration("Add force-push branch protection support", v1_23.AddForcePushBranchProtection),
+	// v301 -> v302
+	NewMigration("Add skip_secondary_authorization option to oauth2 application table", v1_23.AddSkipSecondaryAuthColumnToOAuth2ApplicationTable),
 }
 
 // GetCurrentDBVersion returns the current db version

models/migrations/v1_23/v301.go

@@ -0,0 +1,14 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_23 //nolint
+
+import "xorm.io/xorm"
+
+// AddSkipSeconderyAuthToOAuth2ApplicationTable: add SkipSecondaryAuthorization column, setting existing rows to false
+func AddSkipSecondaryAuthColumnToOAuth2ApplicationTable(x *xorm.Engine) error {
+	type oauth2Application struct {
+		SkipSecondaryAuthorization bool `xorm:"NOT NULL DEFAULT FALSE"`
+	}
+	return x.Sync(new(oauth2Application))
+}

modules/structs/user_app.go

@@ -33,6 +33,7 @@ type CreateAccessTokenOption struct {
 type CreateOAuth2ApplicationOptions struct {
 	Name                       string   `json:"name" binding:"Required"`
 	ConfidentialClient         bool     `json:"confidential_client"`
+	SkipSecondaryAuthorization bool     `json:"skip_secondary_authorization"`
 	RedirectURIs               []string `json:"redirect_uris" binding:"Required"`
 }
 
@@ -44,6 +45,7 @@ type OAuth2Application struct {
 	ClientID                   string    `json:"client_id"`
 	ClientSecret               string    `json:"client_secret"`
 	ConfidentialClient         bool      `json:"confidential_client"`
+	SkipSecondaryAuthorization bool      `json:"skip_secondary_authorization"`
 	RedirectURIs               []string  `json:"redirect_uris"`
 	Created                    time.Time `json:"created"`
 }

options/locale/locale_en-US.ini

@@ -914,6 +914,7 @@ create_oauth2_application_success = You have successfully created a new OAuth2 a
 update_oauth2_application_success = You have successfully updated the OAuth2 application.
 oauth2_application_name = Application Name
 oauth2_confidential_client = Confidential Client. Select for apps that keep the secret confidential, such as web apps. Do not select for native apps including desktop and mobile apps.
+oauth2_skip_secondary_authorization = Skip authorization for public clients after granting access once. <strong>May pose a security risk.</strong>
 oauth2_redirect_uris = Redirect URIs. Please use a new line for every URI.
 save_application = Save
 oauth2_client_id = Client ID

routers/api/v1/user/app.go

@@ -227,6 +227,7 @@ func CreateOauth2Application(ctx *context.APIContext) {
 		UserID:                     ctx.Doer.ID,
 		RedirectURIs:               data.RedirectURIs,
 		ConfidentialClient:         data.ConfidentialClient,
+		SkipSecondaryAuthorization: data.SkipSecondaryAuthorization,
 	})
 	if err != nil {
 		ctx.Error(http.StatusBadRequest, "", "error creating oauth2 application")
@@ -386,6 +387,7 @@ func UpdateOauth2Application(ctx *context.APIContext) {
 		ID:                         appID,
 		RedirectURIs:               data.RedirectURIs,
 		ConfidentialClient:         data.ConfidentialClient,
+		SkipSecondaryAuthorization: data.SkipSecondaryAuthorization,
 	})
 	if err != nil {
 		if auth_model.IsErrOauthClientIDInvalid(err) || auth_model.IsErrOAuthApplicationNotFound(err) {

routers/web/auth/oauth.go

@@ -469,9 +469,9 @@ func AuthorizeOAuth(ctx *context.Context) {
 		return
 	}
 
-	// Redirect if user already granted access and the application is confidential.
-	// I.e. always require authorization for public clients as recommended by RFC 6749 Section 10.2
-	if app.ConfidentialClient && grant != nil {
+	// Redirect if user already granted access and the application is confidential or trusted otherwise
+	// I.e. always require authorization for untrusted public clients as recommended by RFC 6749 Section 10.2
+	if (app.ConfidentialClient || app.SkipSecondaryAuthorization) && grant != nil {
 		code, err := grant.GenerateNewAuthorizationCode(ctx, form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod)
 		if err != nil {
 			handleServerError(ctx, form.State, form.RedirectURI)

routers/web/user/setting/oauth2_common.go

@@ -53,6 +53,7 @@ func (oa *OAuth2CommonHandlers) AddApp(ctx *context.Context) {
 		RedirectURIs:               util.SplitTrimSpace(form.RedirectURIs, "\n"),
 		UserID:                     oa.OwnerID,
 		ConfidentialClient:         form.ConfidentialClient,
+		SkipSecondaryAuthorization: form.SkipSecondaryAuthorization,
 	})
 	if err != nil {
 		ctx.ServerError("CreateOAuth2Application", err)
@@ -107,6 +108,7 @@ func (oa *OAuth2CommonHandlers) EditSave(ctx *context.Context) {
 		RedirectURIs:               util.SplitTrimSpace(form.RedirectURIs, "\n"),
 		UserID:                     oa.OwnerID,
 		ConfidentialClient:         form.ConfidentialClient,
+		SkipSecondaryAuthorization: form.SkipSecondaryAuthorization,
 	}); err != nil {
 		ctx.ServerError("UpdateOAuth2Application", err)
 		return

services/convert/convert.go

@@ -460,6 +460,7 @@ func ToOAuth2Application(app *auth.OAuth2Application) *api.OAuth2Application {
 		ClientID:                   app.ClientID,
 		ClientSecret:               app.ClientSecret,
 		ConfidentialClient:         app.ConfidentialClient,
+		SkipSecondaryAuthorization: app.SkipSecondaryAuthorization,
 		RedirectURIs:               app.RedirectURIs,
 		Created:                    app.CreatedUnix.AsTime(),
 	}

services/forms/user_form.go

@@ -368,6 +368,7 @@ type EditOAuth2ApplicationForm struct {
 	Name                       string `binding:"Required;MaxSize(255)" form:"application_name"`
 	RedirectURIs               string `binding:"Required" form:"redirect_uris"`
 	ConfidentialClient         bool   `form:"confidential_client"`
+	SkipSecondaryAuthorization bool   `form:"skip_secondary_authorization"`
 }
 
 // Validate validates the fields

templates/swagger/v1_json.tmpl

@@ -19875,6 +19875,10 @@
             "type": "string"
           },
           "x-go-name": "RedirectURIs"
+        },
+        "skip_secondary_authorization": {
+          "type": "boolean",
+          "x-go-name": "SkipSecondaryAuthorization"
         }
       },
       "x-go-package": "code.gitea.io/gitea/modules/structs"
@@ -23002,6 +23006,10 @@
             "type": "string"
           },
           "x-go-name": "RedirectURIs"
+        },
+        "skip_secondary_authorization": {
+          "type": "boolean",
+          "x-go-name": "SkipSecondaryAuthorization"
         }
       },
       "x-go-package": "code.gitea.io/gitea/modules/structs"

templates/user/settings/applications_oauth2_edit_form.tmpl

@@ -44,7 +44,13 @@
 		<div class="field {{if .Err_ConfidentialClient}}error{{end}}">
 			<div class="ui checkbox">
 				<label>{{ctx.Locale.Tr "settings.oauth2_confidential_client"}}</label>
-				<input type="checkbox" name="confidential_client" {{if .App.ConfidentialClient}}checked{{end}}>
+				<input class="disable-setting" type="checkbox" name="confidential_client" data-target="#skip-secondary-authorization" {{if .App.ConfidentialClient}}checked{{end}}>
+			</div>
+		</div>
+		<div class="field {{if .Err_SkipSecondaryAuthorization}}error{{end}} {{if .App.ConfidentialClient}}disabled{{end}}" id="skip-secondary-authorization">
+			<div class="ui checkbox">
+				<label>{{ctx.Locale.Tr "settings.oauth2_skip_secondary_authorization"}}</label>
+				<input type="checkbox" name="skip_secondary_authorization" {{if .App.SkipSecondaryAuthorization}}checked{{end}}>
 			</div>
 		</div>
 		<button class="ui primary button">

templates/user/settings/applications_oauth2_list.tmpl

@@ -64,7 +64,13 @@
 		<div class="field {{if .Err_ConfidentialClient}}error{{end}}">
 			<div class="ui checkbox">
 				<label>{{ctx.Locale.Tr "settings.oauth2_confidential_client"}}</label>
-				<input type="checkbox" name="confidential_client" checked>
+				<input class="disable-setting" type="checkbox" name="confidential_client" data-target="#skip-secondary-authorization" checked>
+			</div>
+		</div>
+		<div class="field {{if .Err_SkipSecondaryAuthorization}}error{{end}} disabled" id="skip-secondary-authorization">
+			<div class="ui checkbox">
+				<label>{{ctx.Locale.Tr "settings.oauth2_skip_secondary_authorization"}}</label>
+				<input type="checkbox" name="skip_secondary_authorization">
 			</div>
 		</div>
 		<button class="ui primary button">

web_src/js/features/oauth2-settings.ts

@@ -0,0 +1,5 @@
+export function initOAuth2SettingsDisableCheckbox() {
+  for (const e of document.querySelectorAll('.disable-setting')) e.addEventListener('change', ({target}) => {
+    document.querySelector(e.getAttribute('data-target')).classList.toggle('disabled', target.checked);
+  });
+}

web_src/js/index.ts

@@ -78,6 +78,7 @@ import {initDirAuto} from './modules/dirauto.ts';
 import {initRepositorySearch} from './features/repo-search.ts';
 import {initColorPickers} from './features/colorpicker.ts';
 import {initAdminSelfCheck} from './features/admin/selfcheck.ts';
+import {initOAuth2SettingsDisableCheckbox} from './features/oauth2-settings.ts';
 import {initGlobalFetchAction} from './features/common-fetch-action.ts';
 import {
   initFootLanguageMenu,
@@ -225,5 +226,7 @@ onDomReady(() => {
     initPdfViewer,
     initScopedAccessTokenCategories,
     initColorPickers,
+
+    initOAuth2SettingsDisableCheckbox,
   ]);
 });