Scoped API OAuth and Access Token Authorization
Problem to solve
Allow developers and companies to build applications that hit the Gitlab API without seeing every single group/project. Right now the only way to develop any helper scripts or apps that need to download or interact with Gitlab have overly broad scope which is a security nightmare. API access should be able to be restricted to a user's account, a group or even just select repositories.
Intended users
Companies that are on Gitlab.com and allow developers to use private Gitlab accounts to work in company groups. Developers that are security conscious and don't want to build applications that interact with Gitlab with more permissions than required.
Further details
Main benefit is reduced security risks for developers and companies integrating with the Gitlab API.
Proposal
Permissions and Security
Documentation
Testing
What does success look like, and how can we measure that?
Links / references
Related Issue that would solve a little of this: gitlab-ce#59336
Original place I submitted this issue: gitlab-ce#67006