2f1cb1d289
See discussion on #31561 for some background. The introspect endpoint was using the OIDC token itself for authentication. This fixes it to use basic authentication with the client ID and secret instead: * Applications with a valid client ID and secret should be able to successfully introspect an invalid token, receiving a 200 response with JSON data that indicates the token is invalid * Requests with an invalid client ID and secret should not be able to introspect, even if the token itself is valid Unlike #31561 (which just future-proofed the current behavior against future changes to `DISABLE_QUERY_AUTH_TOKEN`), this is a potential compatibility break (some introspection requests without valid client IDs that would previously succeed will now fail). Affected deployments must begin sending a valid HTTP basic authentication header with their introspection requests, with the username set to a valid client ID and the password set to the corresponding client secret. |
||
---|---|---|
.. | ||
e2e | ||
fuzz | ||
gitea-lfs-meta | ||
gitea-repositories-meta | ||
integration | ||
testdata/data/attachments/a/0 | ||
mssql.ini.tmpl | ||
mysql.ini.tmpl | ||
pgsql.ini.tmpl | ||
sqlite.ini.tmpl | ||
test_utils.go |