info:To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technica l-writing/#designated-technical-writers
---
# GitLab as an OAuth2 provider
# GitLab as an OAuth2 provider
This document covers using the [OAuth2](https://oauth.net/2/) protocol to allow
This document covers using the [OAuth2](https://oauth.net/2/) protocol to allow
...
@@ -28,12 +35,24 @@ During registration, by enabling proper scopes, you can limit the range of
...
@@ -28,12 +35,24 @@ During registration, by enabling proper scopes, you can limit the range of
resources which the `application` can access. Upon creation, you'll obtain the
resources which the `application` can access. Upon creation, you'll obtain the
`application` credentials: _Application ID_ and _Client Secret_ - **keep them secure**.
`application` credentials: _Application ID_ and _Client Secret_ - **keep them secure**.
CAUTION: **Important:**
### Prevent CSRF attacks
OAuth specification advises sending the `state` parameter with each request to
`/oauth/authorize`. We highly recommended sending a unique value with each request
To [protect redirect-based flows](https://tools.ietf.org/id/draft-ietf-oauth-security-topics-13.html#rec_redirect),
and validate it against the one in the redirect request. This is important in
the OAuth specification recommends the use of "One-time use CSRF tokens carried in the state
order to prevent [CSRF attacks](https://wiki.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).
parameter, which are securely bound to the user agent", with each request to the
The `state` parameter really should have been a requirement in the standard!