githaven/routers/web
Shivaram Lingamneni 2f1cb1d289
fix OIDC introspection authentication (#31632)
See discussion on #31561 for some background.

The introspect endpoint was using the OIDC token itself for
authentication. This fixes it to use basic authentication with the
client ID and secret instead:

* Applications with a valid client ID and secret should be able to
  successfully introspect an invalid token, receiving a 200 response
  with JSON data that indicates the token is invalid
* Requests with an invalid client ID and secret should not be able
  to introspect, even if the token itself is valid

Unlike #31561 (which just future-proofed the current behavior against
future changes to `DISABLE_QUERY_AUTH_TOKEN`), this is a potential
compatibility break (some introspection requests without valid client
IDs that would previously succeed will now fail). Affected deployments
must begin sending a valid HTTP basic authentication header with their
introspection requests, with the username set to a valid client ID and
the password set to the corresponding client secret.
2024-07-23 12:43:03 +00:00
..
admin Refactor names (#31405) 2024-06-19 06:32:45 +08:00
auth fix OIDC introspection authentication (#31632) 2024-07-23 12:43:03 +00:00
devtest Refactor names (#31405) 2024-06-19 06:32:45 +08:00
events Move context from modules to services (#29440) 2024-02-27 08:12:22 +01:00
explore Refactor names (#31405) 2024-06-19 06:32:45 +08:00
feed Refactor names (#31405) 2024-06-19 06:32:45 +08:00
healthcheck Always enable caches (#28527) 2023-12-19 09:29:05 +00:00
misc Make sure git version&feature are always prepared (#30877) 2024-05-06 18:34:16 +02:00
org Refactor names (#31405) 2024-06-19 06:32:45 +08:00
repo Refactor webhook (#31587) 2024-07-10 11:37:16 +00:00
shared Refactor names (#31405) 2024-06-19 06:32:45 +08:00
user add skip secondary authorization option for public oauth2 clients (#31454) 2024-07-19 14:28:30 -04:00
base.go Azure blob storage support (#30995) 2024-05-30 07:33:50 +00:00
githttp.go Refactor names (#31405) 2024-06-19 06:32:45 +08:00
goget.go Move context from modules to services (#29440) 2024-02-27 08:12:22 +01:00
home.go migrate some more "OptionalBool" to "Option[bool]" (#29479) 2024-02-29 18:52:49 +00:00
metrics.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
nodeinfo.go Move context from modules to services (#29440) 2024-02-27 08:12:22 +01:00
passkey.go Move context from modules to services (#29440) 2024-02-27 08:12:22 +01:00
swagger_json.go Move context from modules to services (#29440) 2024-02-27 08:12:22 +01:00
web.go Add Passkey login support (#31504) 2024-06-29 22:50:03 +00:00
webfinger.go Move context from modules to services (#29440) 2024-02-27 08:12:22 +01:00