Require user consent on every OAuth public client authorization (!122819) · Merge requests · GitLab.org / GitLab

M Hickford requested to merge gitlab-community/gitlab:oauth-client-consent into master Jun 06, 2023

What does this MR do and why?

Require consent for OAuth public client auth, even if user previously consented. This is necessary because OAuth public clients are inherently vulnerable to client impersonation.

Vulnerability CVE-2023-34246 was fixed upstream in Doorkeeper but remained in GitLab because GitLab overrides new method. This change simply copies the upstream fix.

https://www.cve.org/CVERecord?id=CVE-2023-34246

https://github.com/doorkeeper-gem/doorkeeper/pull/1646/commits/f202079baac4c978a01ccc9a45d78fde368ac907#diff-66fc64b17118c035403fae8265f359b94d03b14e405cf6013418c6f3c83d2817

Fixes #419497 (closed)

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR..

Edited Aug 17, 2023 by Vitali Tatarintev

Require user consent on every OAuth public client authorization

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports