Skip to content

GitLab Next

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

Draft: Document GitLab Pages automatically added as trusted application

Review changes
Download
Patches
Plain diff

Mark Florian requested to merge markrian-master-patch-99803 into master Apr 14, 2021

Overview 6
Commits 1
Pipelines 2
Changes 1

What does this MR do?

This MR attempts to document the fact that GitLab Pages can appear as a trusted application in https://gitlab.com/-/profile/applications, even though the user didn't authorise it directly themselves.

There was n internal discussion that lead to this:

@markrian I spotted that I did have a GitLab Pages app, which was authorised about an hour ago. I definitely didn't authorise anything in the last hour. As a precaution, I revoked it, but I have no idea how it got there. Is it perhaps just how GitLab Pages works, or something...?

@lienvdsteen same for me! also revoked it and i was like oh no was this a test by security to see if I would just click any link (edited)

@joernchen AFAIK the Gitlab pages app is used internally to grant access to protected pages sites. It should be a trusted application which will not show the authorization step but automatically approve

@joernchen https://docs.gitlab.com/ee/integration/oauth_provider.html#instance-wide-applications < see here

@markrian Well, that's a relief! Still, it's a little bit scary. Should this be documented explicitly, perhaps? That is, that GitLab has some hard-coded, pre-trusted apps, like GitLab Pages? (edited)

@joernchen Good point. I think the most usable thing would be section somewhere under https://gitlab.com/help/instance_configuration to show the trusted oauth apps

Notes

This general problem is already discussed to some degree in #229792 and #8081.

It was initially suggested by @joernchen to document this in https://gitlab.com/help/instance_configuration#gitlab-pages, but looking further into this, I'm not sure that's the right place, since trusting GitLab Pages seems to be dynamic, per-user behaviour rather instance-wide.

As far as I can tell, there's one brief mention of a possible link between GitLab Pages and trusted applications.

Screenshots (strongly suggested)

n/a

Does this MR meet the acceptance criteria?

Conformity

📋 Does this MR need a changelog?
- I have included a changelog entry.
- I have not included a changelog entry because _____.
Documentation (if required)
Code review guidelines
Merge request performance guidelines
Style guides
Database guides
Separation of EE specific content

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
Tested in all supported browsers
Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team

Edited Apr 14, 2021 by Mark Florian

Merge request reports

Assignee

Reviewers

Request review from

Time tracking