[v15.0/forgejo] fix: prevent actions workflows from generating OIDC tokens if not authorized in workflow (#12038)

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/12030 When using Forgejo's `enable-openid-connect: true`, a URL is generated into the actions under `$ACTIONS_ID_TOKEN_REQUEST_URL` that can be used to generate a JWT for accessing third-party resources authenticated as the action executing in this server on this repo. However, the endpoint of that url (`.../idtoken`) had unintentionally missed a `return` on an internal server error, and was missing a check that the action actually had `enable-openid-connect: true` on it. As a result, it was possible to generate a JWT for accessing third-party resources from an action that wasn't expected to be generating JWTs. In terms of real-world vulnerability, the most likely risk is that the JWT could be generated from a forked pull request. By not using the `$ACTIONS_ID_TOKEN_REQUEST_URL` and instead going directly to the `.../idtoken` endpoint, and parsing a generated JWT response that will be mixed with an error response, it's possible to retrieve a JWT in a forked pull request. It would require a slight misconfiguration on a third-party system to allow that JWT access, but it's a plausible risk. As this is a feature in Forgejo 15 that hasn't been released, it will be fixed in-public. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes (can be removed for JavaScript changes) - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. - Feature is not yet released. Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12038 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2026-05-13 06:20:24 +00:00 · 2026-04-08 17:08:17 +02:00 · 2026-04-08 17:08:17 +02:00 · 437aa7f4a1
commit 437aa7f4a1
parent 72c9acee10
2 changed files with 18 additions and 0 deletions
--- a/routers/api/actions/id_token.go
+++ b/routers/api/actions/id_token.go
@ -6,6 +6,7 @@ package actions
 import (
 	"fmt"
 	"net/http"
+	"slices"
 	"strings"
 	"time"

@ -72,6 +73,7 @@ func IDTokenContexter() func(next http.Handler) http.Handler {
 			if err != nil {
 				log.Error("Error runner api parsing custom claims: %v", err)
 				ctx.Error(http.StatusInternalServerError, "Error runner api parsing custom claims")
+				return
 			}

 			task, err := actions.GetTaskByID(req.Context(), authorizationTokenClaims.TaskID)
@ -99,6 +101,13 @@ func IDTokenContexter() func(next http.Handler) http.Handler {
 				return
 			}

+			generateIDTokenScp := fmt.Sprintf("generate_id_token:%d:%d", task.Job.RunID, task.Job.ID)
+			scp := strings.Split(authorizationTokenClaims.Scp, " ")
+			if !slices.Contains(scp, generateIDTokenScp) {
+				ctx.Error(http.StatusForbidden, "missing scp generate_id_token")
+				return
+			}
+
 			audience := req.URL.Query().Get("audience")
 			if audience == "" {
 				// Default to organization that owns the repo if no audience is provided
--- a/tests/integration/api_actions_id_token_test.go
+++ b/tests/integration/api_actions_id_token_test.go
@ -47,6 +47,8 @@ func TestActionsIDToken(t *testing.T) {

 	token, err := actions_service.CreateAuthorizationToken(task, gitCtx, true)
 	require.NoError(t, err)
+	tokenWithoutOIDCAccess, err := actions_service.CreateAuthorizationToken(task, gitCtx, false)
+	require.NoError(t, err)

 	// get JWKs information
 	req := NewRequest(t, "GET", "/api/actions/.well-known/keys")
@ -118,6 +120,13 @@ func TestActionsIDToken(t *testing.T) {
 		doAssertions("testingAud", claims)
 	})

+	t.Run("with token that doesn't support OIDC", func(t *testing.T) {
+		req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/792/idtoken?placeholder=true").AddTokenAuth(tokenWithoutOIDCAccess)
+		resp = MakeRequest(t, req, http.StatusInternalServerError)
+		assert.Contains(t, resp.Body.String(), "Error runner api parsing custom claims")
+		assert.NotContains(t, resp.Body.String(), "value") // must not leak an actual `getTokenResponse`
+	})
+
 	t.Run("with no auth header", func(t *testing.T) {
 		req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/792/idtoken?placeholder=true&audience=testingAud")
 		resp = MakeRequest(t, req, http.StatusUnauthorized)