[Feature flag] Enable OmniAuth minimal scopes on Login
Summary
- Introduced by: !78556 (merged)
- Merge commit: 90bbb851
This issue is to rollout minimal scopes on OAuth Login on production,
that is currently behind the omniauth_login_minimal_scopes
feature flag.
This feature enables our OAuth authorizations controller to identify applications that are being used for log-in,
and then ensure that the access token is created with the minimal set of authorizations (specifically, read_user
instead of api
or read_api
).
This feature requires collaboration between the client and the server, in the form of an authorization parameter, and and may have the effect of requiring users to re-authorize their application.
Owners
- Team: ~"group::authentication and authorization"
- Most appropriate slack channel to reach out to:
#g_manage_auth
- Best individual to reach out to: @alexkalderimis
- PM: @hsutor
Stakeholders
We will need documentation to be updated in preparation for this. Customers with large deployments with many GitLab instances should be contacted to advise them of this change.
- The Support Team
Expectations
What are we expecting to happen?
We expect that users who have an existing access token will be asked to re-authorize at a lower permission level. New users will see lower permission levels requested of them on sign-in.
When is the feature viable?
Immediately. This is a security improvement with some UI implications, and is thus made configurable.
What might happen if this goes wrong?
If this causes disruption for users (many users wondering why they have to re-authorize), we might want to turn this flag off so we can update UI text and communicate the need for this better.
In the worst cases, unforeseen issues could cause failures by the OAuth::AuthorizationsController
, preventing
new sessions being created via omniauth. If this happens, we would expect spikes in 500 errors, and we should
disable the FF.
What can we monitor to detect problems with this?
The Authorization dashboard: https://dashboards.gitlab.net/d/stage-groups-authentication_and_authoriz/stage-groups-group-dashboard-manage-authentication-and-authorization?orgId=1
This does not seem to cover OAuth endpoints however (@hsutor: could we add OAuth endpoints to this dashboard?)
What can we check for monitoring production after rollouts?
Rollout Steps
Rollout on non-production environments
- Ensure that the feature MRs have been deployed to non-production environments.
-
/chatops run auto_deploy status 90bbb851bcd4f8725d9a801c723413fc1c5ec52d
-
-
Enable the feature globally on non-production environments. -
/chatops run feature set omniauth_login_minimal_scopes true --dev
-
/chatops run feature set omniauth_login_minimal_scopes true --staging
-
-
Verify that the feature works as expected. Posting the QA result in this issue is preferable.
When logging with staging on an application configured with api
scopes only:
Specific rollout on production
- Ensure that the feature MRs have been deployed to both production and canary.
-
/chatops run auto_deploy status 90bbb851bcd4f8725d9a801c723413fc1c5ec52d
-
- If you're using user-actor, you must enable the feature on these entries:
-
/chatops run feature set --user=<your-username> omniauth_login_minimal_scopes true
-
-
Verify that the feature works on the specific entries. Posting the QA result in this issue is preferable.
Preparation before global rollout
-
Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does. -
Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall
Slack alias. -
Ensure that documentation has been updated (More info). -
Announce on the feature issue an estimated time this will be enabled on GitLab.com. -
Notify #support_gitlab-com
and your team channel (more guidance when this is necessary in the dev docs).
Global rollout on production
For visibility, all /chatops
commands that target production should be executed in the #production
slack channel and cross-posted (with the command results) to the responsible team's slack channel (#g_TEAM_NAME
).
-
Incrementally roll out the feature. - We will be using actor based rollout, in steps of at least 2 hours:
-
/chatops run feature set omniauth_login_minimal_scopes 5 --actors
-
/chatops run feature set omniauth_login_minimal_scopes 25 --actors
-
/chatops run feature set omniauth_login_minimal_scopes 50 --actors
-
/chatops run feature set omniauth_login_minimal_scopes 75 --actors
-
- Enable the feature globally on production environment.
-
/chatops run feature set omniauth_login_minimal_scopes true
-
- We will be using actor based rollout, in steps of at least 2 hours:
-
Announce on the feature issue that the feature has been globally enabled. -
Wait for at least one day for the verification term.
Release the feature
After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.
-
Create a merge request to remove omniauth_login_minimal_scopes
feature flag (!83453 (merged)). Ask for review and merge it.-
Remove all references to the feature flag from the codebase. -
Remove the YAML definitions for the feature from the repository. -
Create a changelog entry.
-
-
Ensure that the cleanup MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post. -
/chatops run auto_deploy status 618486a3185788be95a5961b3edc42841d20acf5
-
-
Close the feature issue to indicate the feature will be released in the current milestone. -
Clean up the feature flag from all environments by running these chatops command in #production
channel:-
/chatops run feature delete omniauth_login_minimal_scopes --dev
-
/chatops run feature delete omniauth_login_minimal_scopes --staging
-
/chatops run feature delete omniauth_login_minimal_scopes
-
-
Close this rollout issue.
Rollback Steps
-
This feature can be disabled by running the following Chatops command:
/chatops run feature set omniauth_login_minimal_scopes false