gitea icon indicating copy to clipboard operation
gitea copied to clipboard
verified publisher icon go-gitea

[Feature] Authentication Sources - OAuth2 - Add JWT and PKCE Support

Open bythewood opened this issue 4 years ago • 4 comments

Currently authentication sources for OAuth2 only support shared secrets (implicit flow), which is not recommended for security reasons. Recommend implementation of Private Key JWT and/or PKCE for OAuth2 authentication sources.

bythewood avatar Sep 07 '21 16:09 bythewood

This already exists.

zeripath avatar Sep 07 '21 18:09 zeripath

Does it? As far as I can see the latest release only supports client/server secrets for OAuth, which is implicit flow. You're probably thinking of OAuth providers (not sources), which Gitea does support Private Key JWT and PKCE for that.

bythewood avatar Sep 07 '21 18:09 bythewood

I've re-opened this, but it may require some changes in https://github.com/markbates/goth upstream before we can support it.

techknowlogick avatar Sep 07 '21 19:09 techknowlogick

@techknowlogick Is this supported now?

NexZhu avatar May 23 '24 02:05 NexZhu