Sender constraining access tokens (!1) · Merge requests · GitLab.com / GitLab Security Department / Product Security Department / Application Security / Security Feature Blueprints

Rohit Shambhuni requested to merge sender-constraining-access-tokens into main Nov 29, 2023

The blueprint captures the specification and implementation details in rolling out the Demonstrating-proof-of-possession (DPoP) mechanism for Personal Access Tokens (PATs). There is a section at the end that talks about the mTLS solution as well and describes why we chose DPoP over mTLS.

The suggestion is to add the DPoP feature as a setting under the User profile section, perhaps in the Personal Access Tokens page, that interested users can enable to protect all API access through their PAT.

Edited Dec 27, 2023 by Rohit Shambhuni

Sender constraining access tokens

Merge request reports