Skip to content

OAuth access token hashing

Drew Blessing requested to merge dblessing_encrypt_tokens into master

What does this MR do and why?

Describe in detail what your merge request does and why.

Fixes https://gitlab.com/gitlab-org/gitlab/-/issues/364110

Enables hashing of OAuth access tokens. This includes a fallback mechanism so existing tokens continue to work. The user experience is essentially the same.

Inline comments will help explain things where needed. This actual change was pretty small but the spec touch points were vast.

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

  1. Open a Rails console: bundle exec rails console
  2. Enable the feature flag: Feature.enable(:hash_oauth_tokens)
  3. Sign in to GDK or other instance as admin
  4. Go to Admin area -> Application and create a new application.
    • Hint: You can use something like https://google.com as your Redirect URI for testing purposes.
    • Rest of the steps assume 'api' scope but it's not explicitly necessary.
  5. Build an authorization code URL: https://gdk.test:3443/oauth/authorize?client_id=<client_id>&redirect_uri=https://google.com&response_type=code&state=STATE&scope=api replacing the client_id value with the Application ID.
  6. Paste the above URL in a browser where you're already signed in to GDK. This should ask if you want to authorize the application and once authorized will redirect you to https://google.com with a code param appended. Grab this code.
  7. Back in the Rails console, build a parameter string (press enter after to set the variable) - parameters = 'client_id=<client_id>&client_secret=<secret>&code=<code_from_previous_step>&grant_type=authorization_code&redirect_uri=https://google.com'
  8. Execute the request to get a token - response = RestClient.post 'https://gdk.test:3443/oauth/token', parameters
  9. Get the response body which should include an OAuth access token. This confirms the OAuth application token request cycle worked correctly - response.body
  10. Use the access_token value from the response body to authenticate to the API (exit the Rails console first, or use another terminal window): curl "https://gdk.test:3443/api/v4/projects?access_token=<access_token>"

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Drew Blessing

Merge request reports