1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
|
en:
activerecord:
errors:
models:
application:
attributes:
redirect_uri:
fragment_present: 'cannot contain a fragment.'
invalid_uri: 'must be a valid URI.'
relative_uri: 'must be an absolute URI.'
mongoid:
errors:
models:
application:
attributes:
redirect_uri:
fragment_present: 'cannot contain a fragment.'
invalid_uri: 'must be a valid URI.'
relative_uri: 'must be an absolute URI.'
mongo_mapper:
errors:
models:
application:
attributes:
redirect_uri:
fragment_present: 'cannot contain a fragment.'
invalid_uri: 'must be a valid URI.'
relative_uri: 'must be an absolute URI.'
doorkeeper:
errors:
messages:
# Common error messages
invalid_redirect_uri: 'The redirect URI included is not valid.'
unauthorized_client: 'The client is not authorized to perform this request using this method.'
access_denied: 'The resource owner or authorization server denied the request.'
invalid_scope: 'The requested scope is invalid, unknown, or malformed.'
server_error: 'The authorization server encountered an unexpected condition which prevented it from fulfilling the request.'
unconfirmed_email: 'Verify the email address in your account profile before you sign in.'
temporarily_unavailable: 'The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server.'
#configuration error messages
credential_flow_not_configured: 'Resource Owner Password Credentials flow failed due to Doorkeeper.configure.resource_owner_from_credentials being unconfigured.'
resource_owner_authenticator_not_configured: 'Resource Owner find failed due to Doorkeeper.configure.resource_owner_authenticator being unconfiged.'
# Access grant errors
unsupported_response_type: 'The authorization server does not support this response type.'
# Access token errors
invalid_client: 'Client authentication failed due to unknown client, no client authentication included, or unsupported authentication method.'
invalid_grant: 'The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.'
unsupported_grant_type: 'The authorization grant type is not supported by the authorization server.'
# Password Access token errors
invalid_resource_owner: 'The provided resource owner credentials are not valid, or resource owner cannot be found'
invalid_request:
unknown: 'The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed.'
missing_param: 'Missing required parameter: %{value}.'
not_support_pkce: 'Invalid code_verifier parameter. Server does not support pkce.'
request_not_authorized: 'Request need to be authorized. Required parameter for authorizing request is missing or invalid.'
invalid_token:
revoked: "The access token was revoked"
expired: "The access token expired"
unknown: "The access token is invalid"
scopes:
api: Access the authenticated user's API
read_user: Read the authenticated user's personal information
read_repository: Allows read-only access to the repository
write_repository: Allows read-write access to the repository
read_registry: Grants permission to read container registry images
read_observability: Allows read-only access to GitLab Observability
write_observability: Allows read-write access to GitLab Observability
openid: Authenticate using OpenID Connect
sudo: Perform API actions as any user in the system
profile: Allows read-only access to the user's personal information using OpenID Connect
email: Allows read-only access to the user's primary email address using OpenID Connect
admin_mode: Admin Mode is a functionality designed to limit the access level of administrator's personal access tokens.
create_runner: Grants create access to the runners
k8s_proxy: Grants permission to perform Kubernetes API calls using the agent for Kubernetes.
ai_features: Access to API endpoints needed for GitLab Duo features
scope_desc:
api:
Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry.
read_api:
Grants read access to the API, including all groups and projects, the container registry, and the package registry.
read_user:
Grants read-only access to the authenticated user's profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users.
read_repository:
Grants read-only access to repositories on private projects using Git-over-HTTP or the Repository Files API.
write_repository:
Grants read-write access to repositories on private projects using Git-over-HTTP (not using the API).
read_registry:
Grants read-only access to container registry images on private projects.
write_registry:
Grants write access to container registry images on private projects.
read_observability:
Grants read-only access to GitLab Observability.
write_observability:
Grants write access to GitLab Observability.
ai_features:
Grants access to GitLab Duo related API endpoints.
openid:
Grants permission to authenticate with GitLab using OpenID Connect. Also gives read-only access to the user's profile and group memberships.
sudo:
Grants permission to perform API actions as any user in the system, when authenticated as an admin user.
profile:
Grants read-only access to the user's profile data using OpenID Connect.
email:
Grants read-only access to the user's primary email address using OpenID Connect.
admin_mode:
Grants permission to perform API actions as an administrator, when Admin Mode is enabled.
create_runner:
Grants create access to the runners.
k8s_proxy:
Grants permission to perform Kubernetes API calls using the agent for Kubernetes.
group_access_token_scope_desc:
api:
Grants complete read and write access to the scoped group and related project API, including the Package Registry.
read_api:
Grants read access to the scoped group and related project API, including the Package Registry.
read_user:
Grants read-only access to the authenticated user's profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users.
read_repository:
Grants read access (pull) to all repositories within a group.
write_repository:
Grants read and write access (pull and push) to all repositories within a group.
read_registry:
Grants read access (pull) to the Container Registry images if any project within a group is private and authorization is required.
write_registry:
Grants write access (push) to the Container Registry.
read_observability:
Grants read-only access to GitLab Observability.
write_observability:
Grants write access to GitLab Observability.
ai_features:
Grants permission to perform API actions for GitLab Duo.
openid:
Grants permission to authenticate with GitLab using OpenID Connect. Also gives read-only access to the user's profile and group memberships.
sudo:
Grants permission to perform API actions as any user in the system, when authenticated as an admin user.
profile:
Grants read-only access to the user's profile data using OpenID Connect.
email:
Grants read-only access to the user's primary email address using OpenID Connect.
admin_mode:
Grants permission to perform API actions as an administrator, when Admin Mode is enabled.
create_runner:
Grants permission to create runners in a group.
k8s_proxy:
Grants permission to perform Kubernetes API calls using the agent for Kubernetes in a group.
project_access_token_scope_desc:
api:
Grants complete read and write access to the scoped project API, including the Package Registry.
read_api:
Grants read access to the scoped project API, including the Package Registry.
read_repository:
Grants read access (pull) to the repository.
write_repository:
Grants read and write access (pull and push) to the repository.
read_registry:
Grants read access (pull) to the Container Registry images if a project is private and authorization is required.
write_registry:
Grants write access (push) to the Container Registry.
read_observability:
Grants read-only access to GitLab Observability.
write_observability:
Grants write access to GitLab Observability.
create_runner:
Grants create access to the runners.
k8s_proxy:
Grants permission to perform Kubernetes API calls using the agent for Kubernetes.
ai_features:
Grants access to GitLab Duo related API endpoints.
flash:
applications:
create:
notice: 'The application was created successfully.'
destroy:
notice: 'The application was deleted successfully.'
update:
notice: 'The application was updated successfully.'
authorized_applications:
destroy:
notice: 'The application was revoked access.'
|
