Token prefixes: Add support for oauth application secrets (!187852) · Merge requests · GitLab.org / GitLab

Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.

What does this MR do and why?

This MR adds support for instance wide token prefixes to oauth application secrets.

Instance wide token prefix have been added with !179852 (merged)

The new prefix format is: #{instance_prefix}#{token_type_prefix}. E.g. for incoming mail tokens, we'd get: #{instance_prefix}gloas-. By default, this is the current token prefix gloas-. However, we can now customize the instance prefix to create a new prefix: mycompanynamegloas-.

With this custom prefix, it is easier to identify leaked tokens, because we can now skip all leaked tokens that start with gloas. Now, we only need to look at tokens starting with mycompanynamegloas-.

🛠️ with ❤️ at Siemens

References

Previous MR that adds support for Incoming email tokens
Issue

How to set up and validate locally

Enable feature flag via rails c:

Feature.enable(:custom_prefix_for_all_token_types)

Generate a new application at https://gdk.test:3443/oauth/applications. Name can be anything, as an URL you can use http://localhost
Now, change the instance wide token prefix: Admin area > General > Account and limit > Instance token prefix, e.g. to mycustomprefix
Renew the token of the application. You should now see a new, prefixed token.

MR acceptance checklist

MR Checklist ( @nwittstruck)

Related to #388379

Edited Jun 05, 2025 by Nicholas Wittstruck

Token prefixes: Add support for oauth application secrets

What does this MR do and why?

References

How to set up and validate locally

MR acceptance checklist

Merge request reports