Commit 51fcea7a authored by Achilleas Pipinellis's avatar Achilleas Pipinellis

Merge branch 'fix-csfr-typo-in-doc' into 'master'

Fix typo `CSFR` -> `CSRF` in the OAuth2 doc



See merge request !6538
parents 9d302b8d 4977a167
...@@ -4,7 +4,7 @@ This document covers using the OAuth2 protocol to access GitLab. ...@@ -4,7 +4,7 @@ This document covers using the OAuth2 protocol to access GitLab.
If you want GitLab to be an OAuth authentication service provider to sign into other services please see the [Oauth2 provider documentation](../integration/oauth_provider.md). If you want GitLab to be an OAuth authentication service provider to sign into other services please see the [Oauth2 provider documentation](../integration/oauth_provider.md).
OAuth2 is a protocol that enables us to authenticate a user without requiring them to give their password to a third-party. OAuth2 is a protocol that enables us to authenticate a user without requiring them to give their password to a third-party.
This functionality is based on [doorkeeper gem](https://github.com/doorkeeper-gem/doorkeeper) This functionality is based on [doorkeeper gem](https://github.com/doorkeeper-gem/doorkeeper)
...@@ -22,7 +22,7 @@ In the following sections you will be introduced to the three steps needed for t ...@@ -22,7 +22,7 @@ In the following sections you will be introduced to the three steps needed for t
### 1. Registering the client ### 1. Registering the client
First, you should create an application (`/profile/applications`) in your user's account. First, you should create an application (`/profile/applications`) in your user's account.
Each application gets a unique App ID and App Secret parameters. Each application gets a unique App ID and App Secret parameters.
>**Note:** >**Note:**
**You should not share/leak your App ID or App Secret.** **You should not share/leak your App ID or App Secret.**
...@@ -46,10 +46,10 @@ http://myapp.com/oauth/redirect?code=1234567890&state=your_unique_state_hash ...@@ -46,10 +46,10 @@ http://myapp.com/oauth/redirect?code=1234567890&state=your_unique_state_hash
You should then use the `code` to request an access token. You should then use the `code` to request an access token.
>**Important:** >**Important:**
It is highly recommended that you send a `state` value with the request to `/oauth/authorize` and It is highly recommended that you send a `state` value with the request to `/oauth/authorize` and
validate that value is returned and matches in the redirect request. validate that value is returned and matches in the redirect request.
This is important to prevent [CSFR attacks](http://www.oauthsecurity.com/#user-content-authorization-code-flow), This is important to prevent [CSRF attacks](http://www.oauthsecurity.com/#user-content-authorization-code-flow),
`state` really should have been a requirement in the standard! `state` really should have been a requirement in the standard!
### 3. Requesting the access token ### 3. Requesting the access token
...@@ -62,7 +62,7 @@ RestClient.post 'http://localhost:3000/oauth/token', parameters ...@@ -62,7 +62,7 @@ RestClient.post 'http://localhost:3000/oauth/token', parameters
# The response will be # The response will be
{ {
"access_token": "de6780bc506a0446309bd9362820ba8aed28aa506c71eedbe1c5c4f9dd350e54", "access_token": "de6780bc506a0446309bd9362820ba8aed28aa506c71eedbe1c5c4f9dd350e54",
"token_type": "bearer", "token_type": "bearer",
"expires_in": 7200, "expires_in": 7200,
"refresh_token": "8257e65c97202ed1726cf9571600918f3bffb2544b26e00a61df9897668c33a1" "refresh_token": "8257e65c97202ed1726cf9571600918f3bffb2544b26e00a61df9897668c33a1"
} }
...@@ -95,7 +95,7 @@ curl --header "Authorization: Bearer OAUTH-TOKEN" https://localhost:3000/api/v3/ ...@@ -95,7 +95,7 @@ curl --header "Authorization: Bearer OAUTH-TOKEN" https://localhost:3000/api/v3/
--- ---
In this flow, a token is requested in exchange for the resource owner credentials (username and password). In this flow, a token is requested in exchange for the resource owner credentials (username and password).
The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g. the The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g. the
client is part of the device operating system or a highly privileged application), and when other authorization grant types are not client is part of the device operating system or a highly privileged application), and when other authorization grant types are not
available (such as an authorization code). available (such as an authorization code).
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment