diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-10 21:07:39 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-10 21:07:39 +0300 |
commit | 8cc4a6f23d41a1c57dc309130d2ce9ebc04d8334 (patch) | |
tree | 8391f5ee4f3391534131ae834b4b0a413845239e /doc/integration/oauth_provider.md | |
parent | 87f8fdb93cb1e63f8e9cedf7d3d00c8ade70b18c (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/integration/oauth_provider.md')
-rw-r--r-- | doc/integration/oauth_provider.md | 68 |
1 files changed, 33 insertions, 35 deletions
diff --git a/doc/integration/oauth_provider.md b/doc/integration/oauth_provider.md index 53d61ef8021..95910e29463 100644 --- a/doc/integration/oauth_provider.md +++ b/doc/integration/oauth_provider.md @@ -6,17 +6,6 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Configure GitLab as an OAuth 2.0 authentication identity provider -This document describes how you can use GitLab as an OAuth 2.0 authentication identity provider. - -- OAuth 2 applications can be created and managed using the GitLab UI (described below) - or managed using the [Applications API](../api/applications.md). -- After an application is created, external services can manage access tokens using the - [OAuth 2 API](../api/oauth2.md). -- To allow users to sign in to GitLab using third-party OAuth 2 providers, see - [OmniAuth documentation](omniauth.md). - -## Introduction to OAuth - [OAuth 2](https://oauth.net/2/) provides to client applications a 'secure delegated access' to server resources on behalf of a resource owner. OAuth 2 allows authorization servers to issue access tokens to third-party clients with the approval @@ -33,21 +22,30 @@ to repositories without sharing user credentials to your GitLab.com account. GitLab supports several ways of adding a new OAuth 2 application to an instance: -- [User owned applications](#user-owned-applications) -- [Group owned applications](#group-owned-applications) -- [Instance-wide applications](#instance-wide-applications) +- [User owned applications](#create-a-user-owned-application) +- [Group owned applications](#create-a-group-owned-application) +- [Instance-wide applications](#create-an-instance-wide-application) The only difference between these methods is the [permission](../user/permissions.md) levels. The default callback URL is `https://your-gitlab.example.com/users/auth/gitlab/callback` (you can also use a non-SSL URL, but you should use SSL URLs). -## User owned applications +This document describes how you can use GitLab as an OAuth 2.0 authentication identity provider. + +- OAuth 2 applications can be created and managed using the GitLab UI (described below) + or managed using the [Applications API](../api/applications.md). +- After an application is created, external services can manage access tokens using the + [OAuth 2 API](../api/oauth2.md). +- To allow users to sign in to GitLab using third-party OAuth 2 providers, see + [OmniAuth documentation](omniauth.md). + +## Create a user-owned application To add a new application for your user: 1. In the top-right corner, select your avatar. 1. Select **Edit profile**. 1. On the left sidebar, select **Applications**. -1. Enter a **Name**, **Redirect URI** and OAuth 2 scopes as defined in [Authorized Applications](#authorized-applications). +1. Enter a **Name**, **Redirect URI** and OAuth 2 scopes as defined in [Authorized Applications](#view-all-authorized-applications). The **Redirect URI** is the URL where users are sent after they authorize with GitLab. 1. Select **Save application**. GitLab provides: @@ -57,7 +55,7 @@ To add a new application for your user: - By selecting **Copy** in the **Secret** field [in GitLab 14.2 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/332844). -## Group owned applications +## Create a group-owned application > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/16227) in GitLab 13.11. @@ -65,7 +63,7 @@ To add a new application for a group: 1. Go to the desired group. 1. On the left sidebar, select **Settings > Applications**. -1. Enter a **Name**, **Redirect URI** and OAuth 2 scopes as defined in [Authorized Applications](#authorized-applications). +1. Enter a **Name**, **Redirect URI** and OAuth 2 scopes as defined in [Authorized Applications](#view-all-authorized-applications). The **Redirect URI** is the URL where users are sent after they authorize with GitLab. 1. Select **Save application**. GitLab provides: @@ -75,7 +73,7 @@ To add a new application for a group: - By selecting **Copy** in the **Secret** field [in GitLab 14.2 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/332844). -## Instance-wide applications +## Create an instance-wide application To create an application for your GitLab instance: @@ -86,22 +84,7 @@ To create an application for your GitLab instance: When creating application in the **Admin Area** , you can mark it as _trusted_. The user authorization step is automatically skipped for this application. -## Access token expiration - -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/21745) in GitLab 14.3, with the ability to opt out. -> - Ability to opt-out of expiring access token [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/340848) in GitLab 15.0. - -WARNING: -The ability to opt-out of expiring access tokens was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/340848) -in GitLab 14.3 and [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/340848) in 15.0. All -existing integrations must be updated to support access token refresh. - -Access tokens expire after two hours. Integrations that use access tokens must generate new ones at least every -two hours. - -When applications are deleted, all grants and tokens associated with the application are also deleted. - -## Authorized applications +## View all authorized applications To see all the application you've authorized with your GitLab credentials: @@ -128,6 +111,21 @@ application can perform. Available scopes are depicted in the following table. At any time you can revoke any access by selecting **Revoke**. +## Access token expiration + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/21745) in GitLab 14.3, with the ability to opt out. +> - Ability to opt-out of expiring access token [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/340848) in GitLab 15.0. + +WARNING: +The ability to opt out of expiring access tokens was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/340848) +in GitLab 14.3 and [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/340848) in 15.0. All +existing integrations must be updated to support access token refresh. + +Access tokens expire after two hours. Integrations that use access tokens must generate new ones at least every +two hours. + +When applications are deleted, all grants and tokens associated with the application are also deleted. + ## Hashed OAuth application secrets > Introduced in GitLab 15.4 [with a flag](../administration/feature_flags.md) named `hash_oauth_secrets`. Disabled by default. |