Require user consent on every OAuth public client authorization
What does this MR do and why?
Require consent for OAuth public client auth, even if user previously consented. This is necessary because OAuth public clients are inherently vulnerable to client impersonation.
Vulnerability CVE-2023-34246 was fixed upstream in Doorkeeper but
remained in GitLab because GitLab overrides new
method. This change
simply copies the upstream fix.
https://www.cve.org/CVERecord?id=CVE-2023-34246
Fixes #419497 (closed)
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR..
Edited by Vitali Tatarintev