forgejo/routers/web/auth
Denys Konovalov 7d855efb1f
Allow for PKCE flow without client secret + add docs (#25033)
The PKCE flow according to [RFC
7636](https://datatracker.ietf.org/doc/html/rfc7636) allows for secure
authorization without the requirement to provide a client secret for the
OAuth app.

It is implemented in Gitea since #5378 (v1.8.0), however without being
able to omit client secret.
Since #21316 Gitea supports setting client type at OAuth app
registration.

As public clients are already forced to use PKCE since #21316, in this
PR the client secret check is being skipped if a public client is
detected. As Gitea seems to implement PKCE authorization correctly
according to the spec, this would allow for PKCE flow without providing
a client secret.

Also add some docs for it, please check language as I'm not a native
English speaker.

Closes #17107
Closes #25047
2023-06-03 05:59:28 +02:00
..
2fa.go
auth.go Split "modules/context.go" to separate files (#24569) 2023-05-08 17:36:54 +08:00
linkaccount.go
main_test.go
oauth.go Allow for PKCE flow without client secret + add docs (#25033) 2023-06-03 05:59:28 +02:00
oauth_test.go
openid.go
password.go Split "modules/context.go" to separate files (#24569) 2023-05-08 17:36:54 +08:00
webauthn.go