Allow users to require demonstrated proof of possession for Personal Access Tokens
This epic coordinates the work required to contribute a new `Demonstrated Proof of Possession (DPoP)` feature to GitLab. It will first be implemented at the user-level as an opt-in way to restrict the way Personal Access Tokens can be used. :arrow_forward: :arrow_forward: **Recommended Reading** [Security Architecture Blueprint for "Sender Constraining Personal Access Tokens"](https://gitlab.com/gitlab-com/gl-security/product-security/appsec/security-feature-blueprints/-/blob/main/sender_constraining_access_tokens/index.md?ref_type=heads) :arrow_backward: :arrow_backward: > [DPoP is] a mechanism to sender-constrain Personal Access Tokens (PATs) via a proof-of-possession mechanism at the application level, using SSH keys (public/private key pairs) a user would already be using with GitLab. ... it binds the PAT to a user's SSH public key and thereby requiring attackers to prove possession of the corresponding SSH private key when using the PAT. This constrains the PAT to the user who generated it, as only they have access to their SSH private key ... > > We take inspiration from [RFC 9449: Demonstrating Proof of Possession (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html) in solving this problem. While RFC 9449 describes the DPoP mechanism to sender-constrain OAuth 2.0 access tokens, the DPoP mechanism in principle, will apply to PATs as well. ... ### Implementation plan 1. [x] An MR that does the database migration + user model updates. - https://gitlab.com/gitlab-org/gitlab/-/merge_requests/162790+ 1. Introduce DPoP Authentication service & supporting class(es), behind a default disabled FF - https://gitlab.com/gitlab-org/gitlab/-/issues/480638+ 1. Enforce DPoP in the GraphQL and REST APIs - https://gitlab.com/gitlab-org/gitlab/-/issues/425130+ 1. Introduce UI for configuring DPoP: `issue to be created` 1. Add documentation: `issue to be created` 1. Add analytics instrumentation so we can track this feature. (Doesn't need to block rolling out the FF, but would provide a more complete picture if it is). Ideas: 1. Track enabling & disabling DPoP 2. Tracking in DPoP verification to count success vs. failure 1. Roll out the feature flag - https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17713+ 1. Identify other places PATs are used and create issues to enforce DPoP there, too 1. Feature awareness efforts: 1. Internally: developers 2. Externally: blog, in-app banners, talking to sales or specific customers
epic