#20628 Enable implicit flow in Gitlab as OAuth Provider
What does this MR do?
Enables implicit flow in Gitlab as OAuth provider.
Why was this MR needed?
This will enable users to use Gitlab OAuth provider for user-agent-based application (e.g. running on GitLab Pages).
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
API support added - Tests
-
Added for this feature/bug - _I'm not sure if this can be unit-tested, application for manual tests provided -
All builds are passing
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Branch has no merge conflicts with master
(if it does - rebase it please) -
Squashed related commits together
What are the relevant issue numbers?
Closes #20628 (closed) - Enable OAuth Implicit Grant, with that enabled it also resolves #2716 (closed) and #19470 (closed) as all the browser clients can apply best practices that don't require CORS for /oauth/token
.
I followed up the work done by @medokin (kudos) in !6078 (closed), rebased and added some documentation.
Simple Angular app for oauth testing can be found at empe/gitlab-implicit-grant-demo.
Concerns:
- Commit 5194214e disabled TTL on tokens - the whole point of using
access tokens
is their limited timespan. Are there any arguments not to limit the token TTLs to at least one week? - As an OAuthProvider client in most cases I'm only interested in user authentication, but it seems that when using implicit flow and obtaining identity via
/api/v4/user
endpoint requiresapi
scope, which it an overkill for most of non GitLab related apps. Wouldn'tread_user
be sufficient?
Edited by username-removed-1407801