Remove disable_ropc_for_new_applications feature flag
What does this MR do and why?
- Remove the
disable_ropc_for_new_applicationsfeature flag - Result:
- In any EE environment where the feature is available, new
Doorkeeper::Applicationsgetropc_enabled=false - In other environments, new
Doorkeeper::Applicationscontinue to getropc_enabled=true.
- In any EE environment where the feature is available, new
This aligns with the intended functionality, where ROPC is disabled for all new OAuth apps on GitLab.com.
References
- FF issue: #545459 (closed)
- Original MR: !192410 (merged)
- Follow-up MR to remove
disable_ropc_for_all_applications: !205939 (merged)
How to set up and validate locally
- Simulate SaaS
- Create a new OAuth application Admin area --> Applications
- In a Rails console, observe the new application got
ropc=false
gdk rails c
> Doorkeeper::Application.last
...- Test OAuth password grant flow, observe you get
HTTP 401response:
echo "grant_type=password&username=<your_username>&password=<your_password>" > auth.txt
curl --data "@auth.txt" --user <oauth_application_id>:<oauth_application_secret> --request POST "https://<your_gdk_url>/oauth/token"
{"error":"unauthorized_client","error_description":"The client is not authorized to perform this request using this method."}
This confirms the functionality to disable ROPC for new apps works without the new feature flag.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #545459 (closed)
Edited by Jason Knabl