Skip to content

G
gitlab-ce
Commit adef7c03 authored by Mike Jang's avatar Mike Jang
Browse files
Options

Merge branch 'Gui13-master-patch-13918' into 'master' 

Update OAuth 2 doc, w/r/t the `redirect_uri`

See merge request gitlab-org/gitlab!45470
parents 1dbb9c8a f08520a3
Hide whitespace changes
Inline Side-by-side
Showing with 25 additions and 6 deletions
doc/api/oauth2.md
View file @ adef7c03
---
type: reference, howto
stage: Manage
group: Access
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technica l-writing/#designated-technical-writers
---
# GitLab as an OAuth2 provider # GitLab as an OAuth2 provider
This document covers using the [OAuth2](https://oauth.net/2/) protocol to allow This document covers using the [OAuth2](https://oauth.net/2/) protocol to allow
...@@ -28,12 +35,24 @@ During registration, by enabling proper scopes, you can limit the range of ...@@ -28,12 +35,24 @@ During registration, by enabling proper scopes, you can limit the range of
resources which the `application` can access. Upon creation, you'll obtain the resources which the `application` can access. Upon creation, you'll obtain the
`application` credentials: _Application ID_ and _Client Secret_ - **keep them secure**. `application` credentials: _Application ID_ and _Client Secret_ - **keep them secure**.
CAUTION: **Important:** ### Prevent CSRF attacks
OAuth specification advises sending the `state` parameter with each request to
`/oauth/authorize`. We highly recommended sending a unique value with each request To [protect redirect-based flows](https://tools.ietf.org/id/draft-ietf-oauth-security-topics-13.html#rec_redirect),
and validate it against the one in the redirect request. This is important in the OAuth specification recommends the use of "One-time use CSRF tokens carried in the state
order to prevent [CSRF attacks](https://wiki.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)). parameter, which are securely bound to the user agent", with each request to the
The `state` parameter really should have been a requirement in the standard! `/oauth/authorize` endpoint. This can prevent
[CSRF attacks](https://wiki.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).
### Use HTTPS in production
For production, please use HTTPS for your `redirect_uri`.
For development, GitLab allows insecure HTTP redirect URIs.
As OAuth2 bases its security entirely on the transport layer, you should not use unprotected
URIs. For more information, see the [OAuth 2.0 RFC](https://tools.ietf.org/html/rfc6749#section-3.1.2.1)
and the [OAuth 2.0 Threat Model RFC](https://tools.ietf.org/html/rfc6819#section-4.4.2.1).
These factors are particularly important when using the
[Implicit grant flow](#implicit-grant-flow), where actual credentials are included in the `redirect_uri`.
In the following sections you will find detailed instructions on how to obtain In the following sections you will find detailed instructions on how to obtain
authorization with each flow. authorization with each flow.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7