Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitLab OpenID scope #35

Closed
almereyda opened this issue Apr 23, 2019 · 5 comments · Fixed by #36
Closed

GitLab OpenID scope #35

almereyda opened this issue Apr 23, 2019 · 5 comments · Fixed by #36

Comments

@almereyda
Copy link

When using this with a GitLab application that has the openid scope configured, the gitlab provider requests an api scope. This also happens when -scope="openid" is set.

For securing least priviledge, it could be nice to only request an openid scope from the GitLab OpenID Connect application.
@ploxiln ploxiln mentioned this issue Apr 24, 2019
Merged
@ploxiln
Copy link
Owner

ploxiln commented Apr 24, 2019

see #36

Is "openid" always a usable and better choice than "api" when using the GitLab provider?

@almereyda
Copy link
Author

almereyda commented Apr 29, 2019
edited
Loading

A token for the openid scope will provide access to the same user login and its details, but will not inherit all read/write admin priviledges from an api authorization. Following the principle of least priviledge, this is to be preffered.

The documentation also states to use openid when intending to use OpenID Connect (OIDC):

@ploxiln
Copy link
Owner

ploxiln commented Apr 29, 2019

Right, so, I don't see the "openid" scope listed at https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#limiting-scopes-of-a-personal-access-token and it's only mentioned in a single place in https://docs.gitlab.com/ee/integration/openid_connect_provider.html#enabling-openid-connect-for-oauth-applications and it's not clear to me that it is appropriate for the oauth2_proxy purpose and allows access to group membership.

Anyway, I've updated #36 to use the "openid" scope. Can you build that PR and validate that it works for your setup?

@almereyda
Copy link
Author

almereyda commented Apr 30, 2019 via email

@ploxiln
Copy link
Owner

ploxiln commented May 11, 2019

Any news about how "openid" scope works for you?

I'm inclined to go back to "api" scope by default (when groups are specified) but with the fix of allowing to override that with the command-line option. This would be a smaller behavior change, and if a few different users report that overriding scope to "openid" works, that change can be made separately in a later release.

A GitLab group PR in the other fork also uses the "api" scope for groups: https://github.com/pusher/oauth2_proxy/pull/137/files#diff-83fab261d52ee47763d81d669a7b7b74R107

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

GitLab provider: honor explicit --scope option when using groups ploxiln/oauth2_proxy
2 participants
@ploxiln @almereyda