Add subscopes to GitLab API

During a discussion in slack with @winh, we noticed that there aren't any API subscopes in GitLab. This is a potential security risk because if a gitlabber authorized his/her account using SSO to another website or service that was malicious, we could be exposing confidential gitlab data to a third party.

We should add subscopes that allow basic authentication and nothing else (similar to what Facebook and twitter do)

/cc @mydigitalself @briann

We should add subscopes that allow basic authentication and nothing else

@ClemMakesApps I'm sorry, I misstated that: We have different scopes:

There is just no way to require only part of the API.

added ~13884 feature proposal labels

Ah I see, so this doesn't seem as much of a security risk

I guess stackshare.io should only be doing read_user instead of api?

I guess stackshare.io should only be doing read_user instead of api?

I guess so, too. But many API endpoints also require authentication for read-only access to public data. For example merge requests (https://gitlab.com/gitlab-org/gitlab-ce/issues/35290) and issues (and I believe there are more). So maybe stackshare had no choice.

Why would stackshare need access to MRs and issues

I don't know what they need access to, those where just examples.

There is a larger issue for this, I think. It's something that's a long time coming.

added Platform label

mentioned in issue #36654

changed milestone to %Next 3-6 months