Add Role-Based Access Control for OAuth Applications

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Overview

OAuth Applications currently lack the ability to set role restrictions, unlike Project Access Tokens which support role-based permissions. This creates a security gap where OAuth applications can access sensitive data beyond their intended scope, even when they only require limited API access.

Description

Problem Statement

When creating OAuth Applications in GitLab, there is no option to restrict the role/permissions level of the generated access tokens. This differs from Project Access Tokens, which allow administrators to set specific roles (like Guest, Reporter, Developer, etc.) to limit the scope of access.

Current Behavior

  • Project Access Tokens can be created with specific roles to limit permissions
  • OAuth Applications inherit the full permissions of the authorizing user
  • High-privilege users (e.g., instance admins) creating OAuth apps expose all their accessible data

Security Implications

When provisioning OAuth applications that only need limited read_api access, the application can still access sensitive information such as:

  • Legacy environment variables containing secrets
  • Private repositories and data beyond the intended scope
  • Administrative functions and settings
  • Historical data and configurations

Impact

This limitation forces organizations to either:

  1. Accept elevated security risks with over-privileged OAuth tokens
  2. Create dedicated service accounts with minimal permissions (workaround)
  3. Avoid using OAuth applications for certain integrations

Proposed Solution

Implement role-based access control for OAuth Applications similar to the existing Project Access Token functionality:

  • Add a "Role" dropdown/selection during OAuth Application creation
  • Support standard GitLab roles (Guest, Reporter, Developer, Maintainer, Owner)
  • Allow role selection to override and limit the user's permissions for that specific OAuth token
  • Ensure the OAuth token respects both the application's assigned role and the user's actual permissions (whichever is more restrictive)
Edited by 🤖 GitLab Bot 🤖