stable
Clone or download
Read-only
Users of Chrome/Chromium based browsers cannot authorize an OAuth2 app due to the Content-Security-Policy
To test, you need to: * create an OAuth2 app (easier if you disable the PKCE enforcement for the purpose of the test) * use a Chrome/Chromium based browser * start the authorization flow manually (can be done by accessing an URL formatted like this https://tuleap-web.tuleap-aio-dev.docker/oauth2/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=code&scope=openid&state=somestate) Authorizing the app should work and the user should be redirected. Thie issue is due to a difference in the way browsers handle the form-action direction [0]. Part of request #17967: Deploy a useful content security policy [0] https://github.com/w3c/webappsec-csp/issues/8 Change-Id: Ia4bbfb2c8f8693a205c3f49a561e33914eacdee2
Modified Files
| Name | ||||
|---|---|---|---|---|
| M | plugins/oauth2_server/include/AuthorizationServer/AuthorizationEndpointController.php | +7 | −1 | Go to diff View file |
| M | plugins/oauth2_server/tests/unit/AuthorizationServer/AuthorizationEndpointControllerTest.php | +8 | −5 | Go to diff View file |