Follow-up from "Fix OAuth documentation and tests for Resource Owner Password Credentials Grant"
Background
The following discussions from !32878 (merged) should be addressed:
-
@mjang1 started a discussion: (+1 comment) @dblessing I see that @toupeira has done an extensive code review, but I think you should know about this.
I do agree with the interpretation of the OAuth 2 spec that's led to this MR, and I appreciate @nikitabulai 's extensive work here.
I do have one question: should our code (and documented
curl
REST call) should include a reference to some OAuth2 scope. I think all OAuth 2 access tokens have scopes? I don't see a reference to OAuth 2 scopes in this MR. -
@nikitabulai started a discussion: (+1 comment) GitLab has both default and optional scopes - https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/initializers/doorkeeper.rb#L67-68
So we can point some of them (
api
is from the default list) in the docs example. -
@mjang1 started a discussion: (+7 comments)
Proposal
Suggested resolution:
-
Set up a SSoT for OAuth 2 token scopes, similar to https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/user/profile/personal_access_tokens.md#limiting-scopes-of-a-personal-access-token. Perhaps link from all related token sections. I wish there were a SSoT, and would yield to a link if someone found one.
By default, the scope of the access token is `api`, which provides complete read/write access.
Links
- In the code the scopes are defined in
lib/gitlab/auth.rb
. - There's a list of scopes for personal access tokens here: https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/user/profile/personal_access_tokens.md#limiting-scopes-of-a-personal-access-token
- There's another list here for project access tokens: https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html#limiting-scopes-of-a-project-access-token
- The
openid
scope is mentioned on https://docs.gitlab.com/ee/integration/openid_connect_provider.html, but we later also addedprofile
andemail
(standardized names from the OIDC spec) which are still missing in the docs. - The
sudo
scope is mentioned on https://docs.gitlab.com/ee/api/#sudo.