OAuth public client authorization should always require consent
OAuth public client authorisation should always require consent, even if user previously consented. This is necessary because OAuth public clients are inherently vulnerable to client impersonation.
Vulnerability CVE-2023-34246 was fixed upstream in Doorkeeper. The vulnerability remains in GitLab even after updating Doorkeeper because GitLab overrides new
method.
IMHO this should be a CVE in GitLab too. I first reported this vulnerability on Hackerone in April 2023 but the issue was closed.
Note: See inflight community contribution MR that should be completed for this issue
Edited by Adil Farrukh