Alias GitHub/Bitbucket Cloud OAuth2 callback URLs to prevent covert redirections
From https://gitlab.com/gitlab-com/gl-infra/production/issues/662, we have an issue where we can't securely share the same OAuth2 application among GitHub logins and imports because the callback URLs are different:
/users/auth/github/callback
/import/github/callback
The same goes for Bitbucket.
Either we have to put these callbacks under the same URL structure (e.g. /callbacks/oauth/github/
for /callbacks/oauth/github/import
and /callbacks/oauth/github/login
), or we have to split the OAuth2 credentials into 2 different applications.
On the infra side, it should be possible to use a separate subdomain (e.g. oauth.gitlab.com
) to handle all OAuth2 callbacks, but that seems like a separate issue.
Edited by Stan Hu