Final Removal of OAuth Implicit Grant
Deprecation Summary
Related to #288516 (closed)
Deprecation of OAuth Implicit Grant. This was announced in %14.0 and final removal will take place in %15.0
The implicit grant has known security flaws that are known since the inception of OAuth and are mentioned in the 2012 OAuth RFC. Back then it was the only solution for pure client-side apps (SPA, mobile, etc) that rely only on 3rd party servers for authentication, but nowadays we have the PKCE grant which is the modern and safer alternative.
The latest OAuth security recommendations from IETF is also clear on the subject (emphasis mine)
The implicit grant (response type "token") and other response types causing the authorization server to issue access tokens in the authorization response are vulnerable to access token leakage and access token replay as described in Section 4.1, Section 4.2, Section 4.3, and Section 4.6.
Moreover, no viable mechanism exists to cryptographically bind access tokens issued in the authorization response to a certain client as it is recommended in Section 2.2. This makes replay detection for such access tokens at resource servers impossible.
In order to avoid these issues, clients SHOULD NOT use the implicit grant (response type "token") or other response types issuing access tokens in the authorization response, unless access token injection in the authorization response is prevented and the aforementioned token leakage vectors are mitigated.
The implicit
grant is removed from OAuth in OAuth 2.1 (still in draft).
Breaking Change
Yes
Affected Topology
Both SaaS and Self-Managed
Affected Tier
Checklist
-
@mention your stage's stable counterparts on this issue. For example, Customer Support, Customer Success (Technical Account Manager), Product Marketing Manager. - To see who the stable counterparts are for a product team visit product categories
- If there is no stable counterpart listed for Sales/CS please mention
@timtams
- If there is no stable counterpart listed for Support please @mention
@gitlab-com/support/managers
- If there is no stable counterpart listed for Marketing please mention
@williamchia
- If there is no stable counterpart listed for Sales/CS please mention
- To see who the stable counterparts are for a product team visit product categories
-
@mention your GPM so that they are aware of planned deprecations. The goal is to have reviews happen at least two releases before the final removal of the feature or introduction of a breaking change.
Deprecation Milestone
Announced 2021-09-22