Migrate Gitlab Pages application to `read_api` scope
Follow-up for Investigate how can make pages auth work with o... (#292912 - closed)
Problem
gitlab-pages
application uses api
scope by default. Users have to create an OAuth application with scope api
to match gitlab-pages
configuration.
We want to migrate from api
to read_api
scope to reduce security risks. But it's challenging to do for self-hosted instances, because it requires two changes at once (update gitlab-pages
configuration and add read_api
scope to OAuth app). However, we can do it for GitLab.com.
Proposal
- Add
read_api
scope to OAuth application thatgitlab-pages
on GitLab.com use. It should be safe to do (needs verification). We would have to request a Production Change. - Update configuration for
gitlab-pages
that we use for GitLab.com. We need to setauth-scope=read_api
.
Edited by Vasilii Iakliushin