Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce GitLab oauth's scope from api (full access) to read_user #17954

Closed
alikhajeh1 opened this issue Jan 1, 2018 · 4 comments
Closed

Reduce GitLab oauth's scope from api (full access) to read_user #17954

alikhajeh1 opened this issue Jan 1, 2018 · 4 comments
Assignees
@enj @simo5
Labels
area/security component/auth lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/P2 sig/security

Comments

@alikhajeh1
Copy link

alikhajeh1 commented Jan 1, 2018
edited
Loading

Currently the GitLab oauth implementation uses the api scope, which results in users seeing this from GitLab: Full access to GitLab as the user, including read/write on all their groups and projects.

GitLab introduced read_user in version 8.15, which seems better suited for this purpose, the description of the scope is Read-only access to the user's profile information, like username, public email and full name. I think that would make it similar to what Origin does for GitHub.

Version

oc v3.6
@mfojtik
Copy link
Contributor

mfojtik commented Jan 2, 2018

@alikhajeh1 the "read_user" exists from version 8.15 and up, right? If users deploy lower versions, this will break the auth?

@alikhajeh1
Copy link
Author

@mfojtik yeah it was added in 8.15 (so released just over a year ago): https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/5951
Yeah it'll probably break auth for older GL versions so I wonder if https://docs.openshift.org/latest/install_config/configuring_authentication.html#GitLab could have it as a configuration option?

@simo5 simo5 assigned enj Jan 2, 2018
@openshift-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci-robot openshift-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 2, 2018
@enj enj added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Apr 26, 2018
@alikhajeh1 alikhajeh1 mentioned this issue Jun 7, 2018
Closed
@enj
Copy link
Contributor

enj commented Jun 11, 2018

@alikhajeh1 have you tried using GitLab's OIDC support to reduce the scope to openid? See https://trello.com/c/DXntmEOV for details.

@enj enj mentioned this issue Jun 13, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@enj enj

@simo5 simo5

Labels
area/security component/auth lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/P2 sig/security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mfojtik @alikhajeh1 @openshift-bot @enj @simo5 @openshift-ci-robot