Remove disable_ropc_for_all_applications feature flag
What does this MR do and why?
- Remove the
disable_ropc_for_all_applicationsfeature flag - The flag has been at 100% in
gprdsince Sep. 12 with no issues #566300 (closed) https://gitlab.com/gitlab-com/gl-infra/feature-flag-log/-/issues/48739 - Result:
- In any EE environment where the feature is available, ROPC requests are globally disabled
- In other environments, ROPC is not globally disabled
This aligns with the intended functionality: OAuth ROPC flow is disabled globally on GitLab.com.
References
- FF issue: #566300 (closed)
- Original MR: !203145 (merged)
How to set up and validate locally
- Simulate SaaS
- Create an OAuth application via Admin area --> Applications
- Test OAuth password grant flow, observe you get
HTTP 401response:
echo "grant_type=password&username=<your_username>&password=<your_password>" > auth.txt
curl --data "@auth.txt" --user <oauth_application_id>:<oauth_application_secret> --request POST "https://<your_gdk_url>/oauth/token"
{"error":"unauthorized_client","error_description":"The client is not authorized to perform this request using this method."}
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #566300 (closed)
Edited by Jason Knabl