Update Oauth token hashing strategies (!202186) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

The changes modify how OAuth tokens and secrets are stored and validated, including FIPS mode support and fallback strategies. SHA512 is now used for application secrets instead of PBKDF2, and fallback strategies are adjusted for FIPS compliance.

This MR

Swap application secret hashing mechanism to SHA512
Remove SHA512 as the fallback mechanism which was added as the temporary transition mechanism
Skip PBKDF2 fallback when FIPS mode enabled.

References

Fixes #551169 (closed) and #548736 (closed)
Revert MR due the bug in fallback mechanism: !202215 (merged)
MR which fixes fallback: !202322 (merged)
Incident: https://app.incident.io/gitlab/incidents/3403

Screenshots or screen recordings

Before	After

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Aug 26, 2025 by Aboobacker MK

Update Oauth token hashing strategies

What does this MR do and why?

References

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports