Shivaram Lingamneni 2f1cb1d289 fix OIDC introspection authentication (#31632) ... See discussion on #31561 for some background. The introspect endpoint was using the OIDC token itself for authentication. This fixes it to use basic authentication with the client ID and secret instead: * Applications with a valid client ID and secret should be able to successfully introspect an invalid token, receiving a 200 response with JSON data that indicates the token is invalid * Requests with an invalid client ID and secret should not be able to introspect, even if the token itself is valid Unlike #31561 (which just future-proofed the current behavior against future changes to `DISABLE_QUERY_AUTH_TOKEN`), this is a potential compatibility break (some introspection requests without valid client IDs that would previously succeed will now fail). Affected deployments must begin sending a valid HTTP basic authentication header with their introspection requests, with the username set to a valid client ID and the password set to the corresponding client secret.		2024-07-23 12:43:03 +00:00
..
2fa.go	Move context from modules to services (#29440)	2024-02-27 08:12:22 +01:00
auth_test.go	Refactor names (#31405)	2024-06-19 06:32:45 +08:00
auth.go	allow synchronizing user status from OAuth2 login providers (#31572)	2024-07-16 20:33:16 +02:00
linkaccount.go	Improve oauth2 client "preferred username field" logic and the error handling (#30622)	2024-04-25 11:22:32 +00:00
main_test.go	make writing main test easier (#27270)	2023-09-28 01:38:53 +00:00
oauth_test.go
oauth.go	fix OIDC introspection authentication (#31632)	2024-07-23 12:43:03 +00:00
openid.go	Move context from modules to services (#29440)	2024-02-27 08:12:22 +01:00
password.go	Clean up log messages (#30313)	2024-04-07 19:17:06 +08:00
webauthn.go	Add Passkey login support (#31504)	2024-06-29 22:50:03 +00:00