Skip to content

api_read_only scope for personal access tokens

Description

Personal Access Tokens enable developers to create automated scripts to read, write, and effectively automate manual tasks to be more efficient.

Scopes we offer

  • api Access the authenticated user's API Full access to GitLab as the user, including read/write on all their groups and projects
  • read_user Read the authenticated user's personal information Read-only access to the user's profile information, like username, public email and full name
  • read_registry Read Registry Read Registry

Scope we need (want)

  • api_read_only Access the authenticated user's API with read_only access

Problem

Security has become an ever evolving and bigger problem for everyone. We hear about login credential and API leaks on the news so regularly, I don't think I need to add references to those news articles here. To prevent unintended consequences, we should limit the attack surface.

Use case

In this particular use case with the api scope, we offer full access to the user's account.

What if all I wanted was to gain visibility on my account, without execute privileges? I would be forced to use the scope with full privileges.

Example: Administrative visibility (read only privileges of both public and private repos) outside of Gitlab UI of changes to issues, maybe to a Slack channel.

Unfortunately, if that API key was ever compromised, the attacker would be able to read and perform any administrative actions on behalf of that user.

Benefits

Increased security for all users, including enterprise customers leveraging our Personal Access Token service.

Goal

  1. Reduce the attack surfaces for our users in the event on a Personal Access Token compromise.
  2. Increase customer confidence that we do our best to protect the interest of our users.

Proposal

Create the api_read_only scope.

I'm not a Rails developer, but from my understanding we already have most of the code worked out with the api scope. I hope we could reuse that code, remove the execute privileges, and offer api_read_only access for our users.

Links / references

https://docs.gitlab.com/ce/user/profile/personal_access_tokens.html