Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add read_repository GitLab OAuth Scope #719

Merged
merged 2 commits into from
Jun 1, 2022
Merged

Add read_repository GitLab OAuth Scope #719

merged 2 commits into from
Jun 1, 2022

Conversation

ldennington
Copy link
Contributor

@ldennington ldennington commented May 31, 2022
edited by mjcheetham
Loading

Overview

Add read_repository to supported OAuth Scopes for GitLab. Because read_repository grants permissions to read files on private projects using the Repository Files API, it will enable Visual Studio to use Source Link to download files from private GitLab repositories 🎉. The Git Credential Manager GitLab OAuth Application has also been updated with the read_repository scope to work with this change.

🚨 Important Notes 🚨

In order to use the new read_repository scope, users will need to do the following with existing OAuth apps for their instances:

  1. Update them to have the read_repository scope.
  2. Require users to revoke the application by doing the following:
    1. Navigate to https://gitlab.com/-/profile/applications
    2. Scroll to Authorized applications
    3. Click the "Revoke" button next to the name of their instance's app (Git Credential Manager is used here for demonstration purposes)
      Screen Shot 2022-05-31 at 2 13 30 PM
    4. Wait for a notification stating The application was revoked access.
      Screen Shot 2022-05-31 at 2 15 49 PM
    5. Re-authorize the application with the new scope (GCM should handle this flow for them)

Additionally, although read_repository works for the API required by source link, our testing did uncover that there are certain APIs (listing a repository tree, for example) that require additional scopes (in this case, read_api). These scopes may also need to be added in the future.

Testing

I did the following to test these changes:

  1. Create a new test OAuth application with write_repository and read_repository scopes.
  2. Update GitLabDevClientId and GitLabDevClientSecret in my global Git config with the test Application ID and Secret.
  3. Remove existing GitLab access/refresh tokens from Keychain.
  4. Update this line to contain read_repository locally and build and install GCM with this new scope.
  5. Clone a repo (to force re-authentication and add new access/refresh tokens to Keychain).
  6. Copy the new access token from Keychain.
  7. Attempt this CURL request.
curl "https://gitlab.com/api/v4/projects/36617582/repository/files/README.md/raw?access_token=<COPIED TOKEN>"
  1. Verified contents of README.md were printed to my terminal.

Fixes #669

@ldennington ldennington self-assigned this May 31, 2022
@ldennington
Copy link
Contributor Author

@Bene81 as FYI.

@ldennington ldennington mentioned this pull request May 31, 2022
Closed
mjcheetham
mjcheetham approved these changes Jun 1, 2022
View reviewed changes
Copy link
Collaborator

@mjcheetham mjcheetham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may want to add the instructions on how to revoke access to the FAQs, or a link from an FAQ to a separate "how to revoke access on GitLab" markdown doc.

@ldennington
docs: FAQ on revoking GitLab OAuth Application
47df201 
Add FAQ entry detailing how to revoke/re-authorize a GitLab OAuth
Application's access. This is needed when the application is updated,
e.g. when new scopes are added to it.
@ldennington ldennington merged commit 1dfde3c into git-ecosystem:main Jun 1, 2022
@hickford
Copy link
Contributor

hickford commented Jun 1, 2022

  1. Update the OAuth app to have the read_repository scope.
  2. Require users to revoke the application

Is step 2 necessary? What happens if the user doesn't revoke?

@ldennington
Copy link
Contributor Author

Is step 2 necessary? What happens if the user doesn't revoke?

Based on my testing yesterday, if users do not manually revoke and re-authorize, the scopes for the application are not updated.

@ldennington ldennington mentioned this pull request Jun 15, 2022
Merged
@ldennington ldennington deleted the gitlab-add-read-repo-scope branch July 12, 2023 18:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mjcheetham mjcheetham mjcheetham approved these changes

@hickford hickford Awaiting requested review from hickford

Assignees

@ldennington ldennington

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[GitLab] Token provided by GCM for gitlab.com does not work for Source Link request.
3 participants
@ldennington @hickford @mjcheetham