mirror of https://github.com/go-gitea/gitea.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2f1cb1d289
See discussion on #31561 for some background. The introspect endpoint was using the OIDC token itself for authentication. This fixes it to use basic authentication with the client ID and secret instead: * Applications with a valid client ID and secret should be able to successfully introspect an invalid token, receiving a 200 response with JSON data that indicates the token is invalid * Requests with an invalid client ID and secret should not be able to introspect, even if the token itself is valid Unlike #31561 (which just future-proofed the current behavior against future changes to `DISABLE_QUERY_AUTH_TOKEN`), this is a potential compatibility break (some introspection requests without valid client IDs that would previously succeed will now fail). Affected deployments must begin sending a valid HTTP basic authentication header with their introspection requests, with the username set to a valid client ID and the password set to the corresponding client secret. |
7 months ago | |
|---|---|---|
| .. | ||
| admin | 8 months ago | |
| auth | 7 months ago | |
| devtest | 8 months ago | |
| events | 1 year ago | |
| explore | 8 months ago | |
| feed | 8 months ago | |
| healthcheck | 1 year ago | |
| misc | 10 months ago | |
| org | 8 months ago | |
| repo | 8 months ago | |
| shared | 8 months ago | |
| user | 7 months ago | |
| base.go | 9 months ago | |
| githttp.go | 8 months ago | |
| goget.go | 1 year ago | |
| home.go | 1 year ago | |
| metrics.go | 2 years ago | |
| nodeinfo.go | 1 year ago | |
| passkey.go | 1 year ago | |
| swagger_json.go | 1 year ago | |
| web.go | 8 months ago | |
| webfinger.go | 1 year ago | |