Add admin OAuth limit setting
What does this MR do and why?
Implement Feature proposal: ability to prevent admins/gro... (#375043 - closed) an application setting to disallow administrator accounts from connecting
OAuth applications with the scopes api, read_api, read_repository, write_repository and sudo. This feature is intended to prevent OAuth phishing of admin accounts. It does not prevent an actual connect, but an attacker isn't able to bypass the Forbidden
consent screen unless they would have a way to bypass our CSRF protection. This will also not prevent Turns out I was wrong about trusted
system OAuth applications from working (e.g. GitLab pages) as those bypass the consent screen.trusted
OAuth applications, this has been addressed in commit 36f7b20d
Screenshots or screen recordings
Screenshot of Forbidden
screen for admin accounts:
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Enable the feature
curl --header "PRIVATE-TOKEN: glpat-..." http://gdk.test:3000/api/v4/application/settings\?disable_admin_oauth_scopes=true -X PUT
- Create an OAuth application with a scope out of api, read_api, read_repository, write_repository or sudo
- Try to connect the application with an admin account
http://gdk.test:3000/oauth/authorize?client_id=xxxx&redirect_uri=http://localhost:4567&response_type=code
- Observe the
Forbidden
screen not allowing to connect - Repeat 3. with a non-admin user, that user will be able to connect
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.