OAuth public clients seem broken since 1.22

[schnusch]

Description

When a confidential client tries to authenticate without Gitea throught PKCE the error {"error":"unauthorized_client","error_description":"failed PKCE code challenge"} is returned. Only versions 1.22 and up seem to be broken.

I tested with the following docker-compose.yaml:

networks:
  p2p:
    external: false
    internal: true

services:
  gitea:
    image: docker.gitea.com/gitea:1.21
    restart: unless-stopped
    environment:
      USER_UID: "1000"
      USER_GID: "1000"
      GITEA__cors__ENABLED: "true"
      GITEA__security__INSTALL_LOCK: "true"
    volumes:
    - ./temp:/data
    - /etc/localtime:/etc/localtime:ro
    - /dev/null:/etc/timezone:ro
    ports:
    - "3000:3000"
    networks:
    - p2p

  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy
    restart: unless-stopped
    depends_on:
    - gitea
    environment:
      OAUTH2_PROXY_HTTP_ADDRESS: http://0.0.0.0:4180
      OAUTH2_PROXY_PROVIDER: github
      OAUTH2_PROXY_PROVIDER_DISPLAY_NAME: Gitea
      OAUTH2_PROXY_LOGIN_URL: http://localhost:3000/login/oauth/authorize
      OAUTH2_PROXY_REDEEM_URL: http://gitea:3000/login/oauth/access_token
      OAUTH2_PROXY_VALIDATE_URL: http://gitea:3000/api/v1/user/emails
      OAUTH2_PROXY_COOKIE_SECRET: dvfrzQ8kHYx260vV
      OAUTH2_PROXY_CLIENT_ID: 291c99d2-2727-49da-a26c-4c315fda95a7
      OAUTH2_PROXY_CLIENT_SECRET: gto_cyncn56ksancs3zjdwajrzc2bp2c7cfa3yzefixvvd4ziq4bggbq
      OAUTH2_PROXY_REDIRECT_URL: http://localhost:4180/oauth2/callback
      OAUTH2_PROXY_EMAIL_DOMAINS: "*"
      OAUTH2_PROXY_CODE_CHALLENGE_METHOD: plain
    ports:
    - "4180:4180"
    networks:
    - p2p

1. Setup Gitea 1.21 at http://localhost:3000.

   • register a user
   • create an application, do not tick confidential client

2. Update OAUTH2_PROXY_CLIENT_ID and OAUTH2_PROXY_CLIENT_SECRET accordingly.

3. Restart docker-compose.

4. Open http://localhost:4180.

5. Log-in through Gitea.

   On first login oauth2-proxy returned the error {"error":"unauthorized_client","error_description":"failed PKCE code challenge"} as well, but this might be a fluke because subsequent tries work.

6. Make sure oauth2-proxy is authenticated. (It will return 404 instead of asking for a login.)

7. Update docker image to docker.gitea.com/gitea:1.22.

8. Restart docker-compose.

9. Clear login data in the browser.

10. Open http://localhost:4180.

11. Every authentication attempt will result in the error {"error":"unauthorized_client","error_description":"failed PKCE code challenge"}.

I first encountered the error after a custom application stopped working after updating Gitea but tried to reproduce it with a more mature implementation.

Gitea Version

v1.22

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

docker-compose

Database

MySQL/MariaDB

[wxiaoguang]

Thank you for the detailed steps! At the moment, I can't reproduce it with 1.22 & 1.23:

My steps:

1. Follow your steps to setup 1.21, see 404 on oauth2 proxy side
2. Follow your steps to update docker image to 1.22 & 1.23, open a incognito windows, still could see 404 on oauth2 proxy side

[schnusch]

It only is broken for public clients, "Confidential Client." must not be ticked for the application in Gitea. I amended it in the steps as well.

[wxiaoguang]

It seems to be a longstanding bug in Integrate OAuth2 Provider (#5378)

• https://github.com/go-gitea/gitea/pull/5378/files#r2007340187

[wxiaoguang]

Will be fixed by 33961 and 33962

[wxiaoguang]

1.23-nightly has been released, the problem should have been fixed, please take a try

• https://dl.gitea.com/gitea/1.23-nightly/
• https://hub.docker.com/r/gitea/gitea/tags?name=1.23-nightly

[schnusch]

docker.gitea.com/gitea:1.23-nightly (0f1e0cc8b0c1) seems to work! (Although now I'm not sure how it ever worked in the first place.)

[wxiaoguang]

I guess some old code wasn't really executed or something wrong+wrong make the result right.

Anyway, now it works 😄

[schnusch]

I implemented code_challenge_method=S256 in my custom application and S256 worked all along. If $OAUTH2_PROXY_CODE_CHALLENGE_METHOD is set to S256 it works with v1.22+ as well.