Enable PKCE OAuth flow
What does this MR do?
This MR enables the OAuth Proof Key for Code Exchange (PKCE) flow. It was introduced in 2015 as way to allow secure code exchange for mobile apps. It's the preferred alternative to the Implicit flow which is deprecated in the next OAuth version that's currently still in draft.
Closes #216877 (closed)
Database migration
Migration upgrade output
== 20201209163958 AddCodeChallengeToOauthAccessGrants: migrating ==============
-- add_column(:oauth_access_grants, :code_challenge, :text, {:null=>true})
-> 0.0010s
-- transaction_open?()
-> 0.0000s
-- current_schema()
-> 0.0002s
-- execute("ALTER TABLE oauth_access_grants\nADD CONSTRAINT oauth_access_grants_code_challenge\nCHECK ( char_length(code_challenge) <= 128 )\nNOT VALID;\n")
-> 0.0025s
-- current_schema()
-> 0.0002s
-- execute("SET statement_timeout TO 0")
-> 0.0002s
-- execute("ALTER TABLE oauth_access_grants VALIDATE CONSTRAINT oauth_access_grants_code_challenge;")
-> 0.0006s
-- execute("RESET ALL")
-> 0.0002s
-- add_column(:oauth_access_grants, :code_challenge_method, :text, {:null=>true})
-> 0.0006s
-- transaction_open?()
-> 0.0000s
-- current_schema()
-> 0.0002s
-- execute("ALTER TABLE oauth_access_grants\nADD CONSTRAINT oauth_access_grants_code_challenge_method\nCHECK ( char_length(code_challenge_method) <= 5 )\nNOT VALID;\n")
-> 0.0003s
-- current_schema()
-> 0.0002s
-- execute("ALTER TABLE oauth_access_grants VALIDATE CONSTRAINT oauth_access_grants_code_challenge_method;")
-> 0.0004s
== 20201209163958 AddCodeChallengeToOauthAccessGrants: migrated (0.0152s) =====
Migration downgrade output
== 20201209163958 AddCodeChallengeToOauthAccessGrants: reverting ==============
-- remove_column(:oauth_access_grants, :code_challenge)
-> 0.0020s
-- remove_column(:oauth_access_grants, :code_challenge_method)
-> 0.0005s
== 20201209163958 AddCodeChallengeToOauthAccessGrants: reverted (0.0026s) =====
Screenshots (strongly suggested)
There's nothing that can be visually observed in this MR.
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Edited by Dominic Couture