Notification emails for newly authorized OAuth applications
Proposal
When a user authorizes a new OAuth application, they should be notified via email. This issue describes the reasoning for this alert on the creation of Personal Access Tokens (PATs). An OAuth application can act as the user, in much the same way as a PAT.
Attackers may trick legitimate users into authorizing an OAuth application, granting them full access to their account. Or, they may leverage stolen credentials to authorize an OAuth application to maintain persistence in their account even in the event of a password change.
If this happens, an email alert would be an early indicator to the user that something suspicious has occurred. They will have an opportunity to respond and determine if the application authorization was legitimate or not.
The following MITRE ATT&CK resources describe how this could be abused, including links to known attacks leveraging these techniques:
This behavior (not receiving an alert) can be replicated by using our official GitLab CLI tool and running glab auth login
and selecting "web" as the login method. The application will be granted full access to the user's account, and no email alert will be sent.