add skip secondary authorization option for public oauth2 clients (#31454)

models/auth/oauth2.go

@@ -37,10 +37,11 @@ type OAuth2Application struct {
 	// https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
 	// "Authorization servers MUST record the client type in the client registration details"
 	// https://datatracker.ietf.org/doc/html/rfc8252#section-8.4
-	ConfidentialClient bool               `xorm:"NOT NULL DEFAULT TRUE"`
-	RedirectURIs       []string           `xorm:"redirect_uris JSON TEXT"`
-	CreatedUnix        timeutil.TimeStamp `xorm:"INDEX created"`
-	UpdatedUnix        timeutil.TimeStamp `xorm:"INDEX updated"`
+	ConfidentialClient         bool               `xorm:"NOT NULL DEFAULT TRUE"`
+	SkipSecondaryAuthorization bool               `xorm:"NOT NULL DEFAULT FALSE"`
+	RedirectURIs               []string           `xorm:"redirect_uris JSON TEXT"`
+	CreatedUnix                timeutil.TimeStamp `xorm:"INDEX created"`
+	UpdatedUnix                timeutil.TimeStamp `xorm:"INDEX updated"`
 }
 
 func init() {
@@ -251,21 +252,23 @@ func GetOAuth2ApplicationByID(ctx context.Context, id int64) (app *OAuth2Applica
 
 // CreateOAuth2ApplicationOptions holds options to create an oauth2 application
 type CreateOAuth2ApplicationOptions struct {
-	Name               string
-	UserID             int64
-	ConfidentialClient bool
-	RedirectURIs       []string
+	Name                       string
+	UserID                     int64
+	ConfidentialClient         bool
+	SkipSecondaryAuthorization bool
+	RedirectURIs               []string
 }
 
 // CreateOAuth2Application inserts a new oauth2 application
 func CreateOAuth2Application(ctx context.Context, opts CreateOAuth2ApplicationOptions) (*OAuth2Application, error) {
 	clientID := uuid.New().String()
 	app := &OAuth2Application{
-		UID:                opts.UserID,
-		Name:               opts.Name,
-		ClientID:           clientID,
-		RedirectURIs:       opts.RedirectURIs,
-		ConfidentialClient: opts.ConfidentialClient,
+		UID:                        opts.UserID,
+		Name:                       opts.Name,
+		ClientID:                   clientID,
+		RedirectURIs:               opts.RedirectURIs,
+		ConfidentialClient:         opts.ConfidentialClient,
+		SkipSecondaryAuthorization: opts.SkipSecondaryAuthorization,
 	}
 	if err := db.Insert(ctx, app); err != nil {
 		return nil, err
@@ -275,11 +278,12 @@ func CreateOAuth2Application(ctx context.Context, opts CreateOAuth2ApplicationOp
 
 // UpdateOAuth2ApplicationOptions holds options to update an oauth2 application
 type UpdateOAuth2ApplicationOptions struct {
-	ID                 int64
-	Name               string
-	UserID             int64
-	ConfidentialClient bool
-	RedirectURIs       []string
+	ID                         int64
+	Name                       string
+	UserID                     int64
+	ConfidentialClient         bool
+	SkipSecondaryAuthorization bool
+	RedirectURIs               []string
 }
 
 // UpdateOAuth2Application updates an oauth2 application
@@ -305,6 +309,7 @@ func UpdateOAuth2Application(ctx context.Context, opts UpdateOAuth2ApplicationOp
 	app.Name = opts.Name
 	app.RedirectURIs = opts.RedirectURIs
 	app.ConfidentialClient = opts.ConfidentialClient
+	app.SkipSecondaryAuthorization = opts.SkipSecondaryAuthorization
 
 	if err = updateOAuth2Application(ctx, app); err != nil {
 		return nil, err
@@ -315,7 +320,7 @@ func UpdateOAuth2Application(ctx context.Context, opts UpdateOAuth2ApplicationOp
 }
 
 func updateOAuth2Application(ctx context.Context, app *OAuth2Application) error {
-	if _, err := db.GetEngine(ctx).ID(app.ID).UseBool("confidential_client").Update(app); err != nil {
+	if _, err := db.GetEngine(ctx).ID(app.ID).UseBool("confidential_client", "skip_secondary_authorization").Update(app); err != nil {
 		return err
 	}
 	return nil

models/migrations/migrations.go

@@ -593,6 +593,8 @@ var migrations = []Migration{
 	NewMigration("Add content version to issue and comment table", v1_23.AddContentVersionToIssueAndComment),
 	// v300 -> v301
 	NewMigration("Add force-push branch protection support", v1_23.AddForcePushBranchProtection),
+	// v301 -> v302
+	NewMigration("Add skip_secondary_authorization option to oauth2 application table", v1_23.AddSkipSecondaryAuthColumnToOAuth2ApplicationTable),
 }
 
 // GetCurrentDBVersion returns the current db version

models/migrations/v1_23/v301.go

@@ -0,0 +1,14 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_23 //nolint
+
+import "xorm.io/xorm"
+
+// AddSkipSeconderyAuthToOAuth2ApplicationTable: add SkipSecondaryAuthorization column, setting existing rows to false
+func AddSkipSecondaryAuthColumnToOAuth2ApplicationTable(x *xorm.Engine) error {
+	type oauth2Application struct {
+		SkipSecondaryAuthorization bool `xorm:"NOT NULL DEFAULT FALSE"`
+	}
+	return x.Sync(new(oauth2Application))
+}