`glab auth login` workflow changes
I opened this issue #233 (closed) as a feature request to create better authentication between glab
and GitLab and also, dynamically create access token for users directly using their username and password.
However, GitLab currently does not support creating an access token using the GitLab API. Access tokens can only be created on GitLab's web UI.
There is an issue on this. A merge request was created to resolve this but it was closed in favour of this comment:
It makes sense that this API is restricted to admin users, since it can be used by a malicious third-party application to preserve access even after a revoke:
User gives token PAT-1 to application Application accesses personal access tokens API to create token PAT-2 User revokes PAT-1 Application can still access the API using PAT-2
GitLab also allows creating impersonation token but this operation is limited to only admins https://docs.gitlab.com/ce/api/users.html#create-an-impersonation-token
For this reason, glab
will only allow authentication via personal access tokens. The users are supposed to create the access token with these minimum scopes [api, write_repository]. GitLab docs on the scopes can be found here
glab
must validate the token and ensure it has the minimum scopes.
The authentication flow using glab auth login
command changes to:
$ glab login
? Which instance do you want to log in? [Use arrows to move, type to filter]
GitLab.com
> GitLab Self Hosted
# if self-hosted is selected, ask for hostname
? Hostname: gitlab.example.com
? Token: xxxxx
- Verifying token ...
✓ Authenticated successfully
Suggested Flags
-h, --hostname The hostname of the GitLab instance to authenticate with. Will not be prompted for hosted if specified
-w, --with-token Read token from standard input
References: gitlab#17176 (closed) gitlab#17176 (comment 214950031) gitlab!37703 (closed)