You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Archer 5c542ca94c Prevent automatic OAuth grants for public clients (#30790) ... This commit forces the resource owner (user) to always approve OAuth 2.0 authorization requests if the client is public (e.g. native applications). As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2), > The authorization server SHOULD NOT process repeated authorization requests automatically (without active resource owner interaction) without authenticating the client or relying on other measures to ensure that the repeated request comes from the original client and not an impersonator. With the implementation prior to this patch, attackers with access to the redirect URI (e.g., the loopback interface for `git-credential-oauth`) can get access to the user account without any user interaction if they can redirect the user to the `/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on Linux). Fixes #25061. Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>		10 months ago
..
2fa.go	Move context from modules to services (#29440)	12 months ago
auth.go	Improve oauth2 client "preferred username field" logic and the error handling (#30622)	10 months ago
auth_test.go	Improve oauth2 client "preferred username field" logic and the error handling (#30622)	10 months ago
linkaccount.go	Improve oauth2 client "preferred username field" logic and the error handling (#30622)	10 months ago
main_test.go	make writing main test easier (#27270)	1 year ago
oauth.go	Prevent automatic OAuth grants for public clients (#30790)	10 months ago
oauth_test.go	Bump github.com/golang-jwt/jwt to v5 (#25975)	2 years ago
openid.go	Move context from modules to services (#29440)	12 months ago
password.go	Clean up log messages (#30313)	10 months ago
webauthn.go	Move context from modules to services (#29440)	12 months ago