Skip to content

Disable ROPC for new OAuth applications on SaaS

Drew Blessingrequested to merge
dblessing_disable_ropc_new_apps into master

What does this MR do and why?

For SaaS, disable ROPC for new OAuth applications based on a feature flag. ROPC can be abused and while we want to fully deprecate the feature on SaaS, we also don't want to break existing workflows. This strikes a balance.

References

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. Migrate the database

  2. Simulate SaaS

  3. Enable the feature flag in the Rails console

    Feature.enable(:disable_ropc_for_new_applications)

  4. Create a new OAuth application in Admin area > Applications. It should have ropc_enabled set to false automatically.

  5. Test OAuth password grant flow. With the above configuration, it should fail with Error: unauthorized_client, Description: The client is not authorized to perform this request using this method.

  6. Disable the feature flag and/or turn off SaaS simulation mode. The OAuth password grant flow should now work.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Drew Blessing

Merge request reports