Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A new login attempt will login with previous oauth2-logged-in account when the new oauth2 login failed #3223

Closed
3 of 7 tasks
icesai opened this issue Dec 18, 2017 · 5 comments
Closed
3 of 7 tasks

A new login attempt will login with previous oauth2-logged-in account when the new oauth2 login failed #3223

icesai opened this issue Dec 18, 2017 · 5 comments
Labels
type/bug

Comments

@icesai
Copy link

icesai commented Dec 18, 2017

  • Gitea version (or commit ref):bde0409
  • Git version:2.1.4
  • Operating system:centOS
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:
    [Macaron] 2017-12-18 11:39:06: Started GET /user/login?redirect_to= for 127.0.0.1
    [Macaron] 2017-12-18 11:39:06: Completed GET /user/login?redirect_to= 200 OK in 50.367285ms
    [Macaron] 2017-12-18 11:39:08: Started GET /user/oauth2/google for 127.0.0.1
    [Macaron] 2017-12-18 11:39:09: Completed GET /user/oauth2/google 302 Found in 251.958016ms
    [Macaron] 2017-12-18 11:39:09: Started GET / for 127.0.0.1
    [Macaron] 2017-12-18 11:39:09: Completed GET / 200 OK in 9.224199ms
    [Macaron] 2017-12-18 11:39:09: Started GET /api/v1/repos/search?uid=6&q=&limit=15&mode= for 127.0.0.1
    [Macaron] 2017-12-18 11:39:09: Completed GET /api/v1/repos/search?uid=6&q=&limit=15&mode= 200 OK in 4.880847ms

Description

1.I have to close registered form everyone.
2.I have to login with google+ oauth2.
I created an admin account by my own.
Then i added a certified for google+ OAuth2.
I created an other account with google+ OAuth2 on admin page.
But i didn't type user's google token id.
My google's account should be failed to login.
But... it works.It login to my "admin" account.
Is it should be failed at "/user/oauth2/google 302 Found" ?
...
@lunny lunny added the type/question Issue needs no code to be fixed, only a description on how to fix it yourself. label Dec 20, 2017
@lunny
Copy link
Member

lunny commented Dec 20, 2017

I think yes as your title. You could login with your local account or your Oauth2 account.

@icesai
Copy link
Author

icesai commented Dec 20, 2017
edited

Sorry!maybe i have to change my tittle...
I think this is a bug.
I login my NOT admin account into admin account when i login failed by google+ OAuth2.
It should be failed login!!

@icesai icesai changed the title Normal account login to admin account by use google oauth2 NOT admin account login into admin account when using google oauth2 login faied Dec 20, 2017
@MTecknology
Copy link
Contributor

@lunny This is not a "question", it is a report for a security-related bug.

@lunny lunny added type/bug topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! and removed type/question Issue needs no code to be fixed, only a description on how to fix it yourself. labels Dec 31, 2017
@zeripath
Copy link
Contributor

Having looked at this for a while I think I understand what the user is reporting.

Basically - once you've logged in with an oauth2 provider, even if you signout from gitea if you attempt to reclick on that oauth2 provider you will be logged straight back in without further confirmation.

This is related to us not revoking refresh_tokens on logout, mainly because goth does not provide that functionality.

I don't necessarily think that this is a complete security issue however, as if you logout of your oauth provider - as you should - then this problem does not happen. It is however surprising and a little bit of a gotcha.

I think this requires: markbates/goth#150 to provide revocation functionality and we would require to have some mark in the session to show that we have been signed in by openid.

@wxiaoguang
Copy link
Contributor

Not a security issue, more details:

@wxiaoguang wxiaoguang removed the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Apr 14, 2022
@wxiaoguang wxiaoguang changed the title NOT admin account login into admin account when using google oauth2 login faied Non-admin account login into previous oauth2-logged-in admin account when the new oauth2 login faied Apr 14, 2022
@wxiaoguang wxiaoguang changed the title Non-admin account login into previous oauth2-logged-in admin account when the new oauth2 login faied Non-admin account login into previous oauth2-logged-in admin account when the new oauth2 login failed Apr 14, 2022
@wxiaoguang wxiaoguang changed the title Non-admin account login into previous oauth2-logged-in admin account when the new oauth2 login failed A new login attempt will login with previous oauth2-logged-in account when the new oauth2 login failed Apr 14, 2022
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@lunny @MTecknology @zeripath @wxiaoguang @icesai