-
-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A new login attempt will login with previous oauth2-logged-in account when the new oauth2 login failed #3223
Comments
I think yes as your title. You could login with your local account or your Oauth2 account. |
Sorry!maybe i have to change my tittle... |
@lunny This is not a "question", it is a report for a security-related bug. |
Having looked at this for a while I think I understand what the user is reporting. Basically - once you've logged in with an oauth2 provider, even if you signout from gitea if you attempt to reclick on that oauth2 provider you will be logged straight back in without further confirmation. This is related to us not revoking refresh_tokens on logout, mainly because goth does not provide that functionality. I don't necessarily think that this is a complete security issue however, as if you logout of your oauth provider - as you should - then this problem does not happen. It is however surprising and a little bit of a gotcha. I think this requires: markbates/goth#150 to provide revocation functionality and we would require to have some mark in the session to show that we have been signed in by openid. |
Not a security issue, more details: |
[x]
):[Macaron] 2017-12-18 11:39:06: Started GET /user/login?redirect_to= for 127.0.0.1
[Macaron] 2017-12-18 11:39:06: Completed GET /user/login?redirect_to= 200 OK in 50.367285ms
[Macaron] 2017-12-18 11:39:08: Started GET /user/oauth2/google for 127.0.0.1
[Macaron] 2017-12-18 11:39:09: Completed GET /user/oauth2/google 302 Found in 251.958016ms
[Macaron] 2017-12-18 11:39:09: Started GET / for 127.0.0.1
[Macaron] 2017-12-18 11:39:09: Completed GET / 200 OK in 9.224199ms
[Macaron] 2017-12-18 11:39:09: Started GET /api/v1/repos/search?uid=6&q=&limit=15&mode= for 127.0.0.1
[Macaron] 2017-12-18 11:39:09: Completed GET /api/v1/repos/search?uid=6&q=&limit=15&mode= 200 OK in 4.880847ms
Description
1.I have to close registered form everyone.
2.I have to login with google+ oauth2.
I created an admin account by my own.
Then i added a certified for google+ OAuth2.
I created an other account with google+ OAuth2 on admin page.
But i didn't type user's google token id.
My google's account should be failed to login.
But... it works.It login to my "admin" account.
Is it should be failed at "/user/oauth2/google 302 Found" ?
...
The text was updated successfully, but these errors were encountered: