Enforce SSO-Only Authentication for Git Activity is blocking Project Access Token use for APIs
Summary
Enabling Enforce SSO-only authentication for Git activity for this group
will result in a 400
error with the message Cannot find valid SSO session. Please login via your group's SSO
even for Project Access Tokens / Project Bot Users.
This may be limited to API's that do gitaly/git operations only. I've only tested and verified with the Branches API
Steps to reproduce
- Create or have an existing Project Access Token for a project
- Check
Enforce SSO-only authentication for Git activity for this group
for an SSO-enabled group - Try to create a new branch using the Branches API
- Response will result in a
400
with the message:{"message":"Cannot find valid SSO session. Please login via your group's SSO at https://gitlab.com/groups/groupname/-/saml/sso?token=XXXXXXXX"}
Log wise there's a 401
returned by a request by Gitaly to "path": "/api/v4/internal/allowed"
for the branch creation operation.
Example Project
I tested by enabling Enforce SSO-only authentication for Git activity for this group
on https://gitlab.com/gitlab-silver and a Project Access Token created for: https://gitlab.com/gitlab-silver/jayo-saml-test/branch-testing
What is the current bug behavior?
Project Access Tokens / Project Bots receive a 400
for API requests
What is the expected correct behavior?
Project Access Tokens / Project Bots should be allowed to make API operations, even involving git operations.
Relevant logs and/or screenshots
Kibana logs for my test: https://log.gprd.gitlab.net/goto/1d3f8ecdb281bcee93e9fb2282fe1000