Cannot authenticate to application REST API with OAuth token when admin mode is enabled
Summary
We are currently preparing the upgrade from GitLab 15.11 to GitLab 16.3 and cannot authenticate to the application REST API with a OAuth token anymore when the admin mode is enabled, e.g. to get or change application settings. When trying to do so, the answer is a 403 status code. Other REST endpoints like for users still work with OAuth.
Steps to reproduce
Enable admin mode. Then:
GITLAB_ADMIN_USERNAME=root
GITLAB_ADMIN_PASSWORD=...
GITLAB_URL=...
OAUTH_TOKEN=$(curl --fail --show-error --silent --request POST --url ${GITLAB_URL}/oauth/token --header "Content-Type: application/json" --data "{
\"grant_type\" : \"password\",
\"username\" : \"${GITLAB_ADMIN_USERNAME}\",
\"password\" : \"${GITLAB_ADMIN_PASSWORD}\"
}" | jq -r '.access_token')
curl --header "Authorization: Bearer ${OAUTH_TOKEN}" ${GITLAB_URL}/api/v4/application/settings
Example Project
Not needed, application-wide.
What is the current bug behavior?
403
What is the expected correct behavior?
Can use application REST endpoint.
Relevant logs and/or screenshots
The exact answer of above's steps to reproduce is:
{"message":"403 Forbidden"}
Edited by Patrick Hobusch