Support PKCE in the API for more secure connections
Problem to solve
Many users want to create GitLab Pages sites, or other static sites, or mobile apps, to access the GitLab API. Currently with OAuth2, it's possible to use "implicit grant flow" for client-only applications (JavaScript or Mobile). However, implicit grant flow is considered insecure because it's possible for foreign applications to intercept the initial token request.
PKCE is a more secure alternative.
Intended users
Developers intending to use the GitLab API in:
- GitLab Pages sites
- Other static web sites
- Mobile applications
User experience goal
Experience should be invisible to the user, but is more secure. This is only about the API.
Proposal
Implement the PKCE standard, and provide appropriate warnings about implicit grant flow in the documentation.
Further details
A major customer expressed interest in this. In the end, they will probably write server-side code to hit the API. But the issue was surfaced there. Also, our own Services Calculator uses the API from a public client-side-only application so I suspect it is vulnerable to attach.
Here's a video that explains PKCE