Commit 57e2ff1f authored by Evan Read's avatar Evan Read

Refine information around OAuth implicit grant deprecation

parent dad714c5
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
body: | body: |
To improve performance, we are limiting the number of projects returned from the `GET /groups/:id/` API call to 100. A complete list of projects can still be retrieved with the `GET /groups/:id/projects` API call. To improve performance, we are limiting the number of projects returned from the `GET /groups/:id/` API call to 100. A complete list of projects can still be retrieved with the `GET /groups/:id/projects` API call.
- name: "GitLab OAuth implicit grant deprecation" - name: "GitLab OAuth implicit grant"
removal_date: "2021-06-22" removal_date: "2021-06-22"
removal_milestone: "14.0" removal_milestone: "14.0"
reporter: ogolowinski reporter: ogolowinski
...@@ -16,4 +16,4 @@ ...@@ -16,4 +16,4 @@
body: | body: |
GitLab is deprecating the [OAuth 2 implicit grant flow](https://docs.gitlab.com/ee/api/oauth2.html#implicit-grant-flow) as it has been removed for [OAuth 2.1](https://oauth.net/2.1/). GitLab is deprecating the [OAuth 2 implicit grant flow](https://docs.gitlab.com/ee/api/oauth2.html#implicit-grant-flow) as it has been removed for [OAuth 2.1](https://oauth.net/2.1/).
Beginning in 14.0, new applications can't be created with the OAuth 2 implicit grant flow. Existing OAuth implicit grant flows are no longer supported in 14.4. Migrate your existing applications to other supported [OAuth2 flows](https://docs.gitlab.com/ee/api/oauth2.html#supported-oauth2-flows) before release 14.4. Migrate your existing applications to other supported [OAuth2 flows](https://docs.gitlab.com/ee/api/oauth2.html#supported-oauth2-flows).
...@@ -32,7 +32,7 @@ GitLab supports the following authorization flows: ...@@ -32,7 +32,7 @@ GitLab supports the following authorization flows:
hosted, first-party services. GitLab recommends against use of this flow. hosted, first-party services. GitLab recommends against use of this flow.
The draft specification for [OAuth 2.1](https://oauth.net/2.1/) specifically omits both the The draft specification for [OAuth 2.1](https://oauth.net/2.1/) specifically omits both the
Implicit grant and Resource Owner Password Credentials flows. It will be deprecated in the next OAuth specification version. Implicit grant and Resource Owner Password Credentials flows.
Refer to the [OAuth RFC](https://tools.ietf.org/html/rfc6749) to find out Refer to the [OAuth RFC](https://tools.ietf.org/html/rfc6749) to find out
how all those flows work and pick the right one for your use case. how all those flows work and pick the right one for your use case.
...@@ -239,19 +239,13 @@ You can now make requests to the API with the access token returned. ...@@ -239,19 +239,13 @@ You can now make requests to the API with the access token returned.
### Implicit grant flow ### Implicit grant flow
NOTE:
For a detailed flow diagram, see the [RFC specification](https://tools.ietf.org/html/rfc6749#section-4.2).
WARNING: WARNING:
Implicit grant flow is inherently insecure and the IETF has removed it in [OAuth 2.1](https://oauth.net/2.1/). Implicit grant flow is inherently insecure and the IETF has removed it in [OAuth 2.1](https://oauth.net/2.1/).
For this reason, [support for it is deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/288516). It is [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/288516) for use in GitLab 14.0, and is planned for
In GitLab 14.0, new applications can't be created using it. In GitLab 14.4, support for it is [removal](https://gitlab.com/gitlab-org/gitlab/-/issues/344609) in GitLab 15.0.
scheduled to be removed for existing applications.
We recommend that you use [Authorization code with PKCE](#authorization-code-with-proof-key-for-code-exchange-pkce) instead. If you choose to use Implicit flow, be sure to verify the We recommend that you use [Authorization code with PKCE](#authorization-code-with-proof-key-for-code-exchange-pkce)
`application id` (or `client_id`) associated with the access token before granting instead.
access to the data. To learn more, read
[Retrieving the token information](#retrieve-the-token-information)).
Unlike the authorization code flow, the client receives an `access token` Unlike the authorization code flow, the client receives an `access token`
immediately as a result of the authorization request. The flow does not use the immediately as a result of the authorization request. The flow does not use the
...@@ -415,7 +409,7 @@ The following is an example response: ...@@ -415,7 +409,7 @@ The following is an example response:
The fields `scopes` and `expires_in_seconds` are included in the response. The fields `scopes` and `expires_in_seconds` are included in the response.
These are aliases for `scope` and `expires_in` respectively, and have been included to These fields are aliases for `scope` and `expires_in` respectively, and have been included to
prevent breaking changes introduced in [doorkeeper 5.0.2](https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions#from-4x-to-5x). prevent breaking changes introduced in [doorkeeper 5.0.2](https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions#from-4x-to-5x).
Don't rely on these fields as they are slated for removal in a later release. Don't rely on these fields as they are slated for removal in a later release.
......
...@@ -175,7 +175,7 @@ As [announced in GitLab 13.3](https://about.gitlab.com/releases/2020/08/22/gitla ...@@ -175,7 +175,7 @@ As [announced in GitLab 13.3](https://about.gitlab.com/releases/2020/08/22/gitla
- `geo_postgresql['fdw_external_password']` - `geo_postgresql['fdw_external_password']`
- `gitlab-_rails['geo_migrated_local_files_clean_up_worker_cron']` - `gitlab-_rails['geo_migrated_local_files_clean_up_worker_cron']`
### GitLab OAuth implicit grant deprecation ### GitLab OAuth implicit grant
WARNING: WARNING:
This feature was changed or removed in 14.0 This feature was changed or removed in 14.0
...@@ -185,7 +185,7 @@ changes to your code, settings, or workflow. ...@@ -185,7 +185,7 @@ changes to your code, settings, or workflow.
GitLab is deprecating the [OAuth 2 implicit grant flow](https://docs.gitlab.com/ee/api/oauth2.html#implicit-grant-flow) as it has been removed for [OAuth 2.1](https://oauth.net/2.1/). GitLab is deprecating the [OAuth 2 implicit grant flow](https://docs.gitlab.com/ee/api/oauth2.html#implicit-grant-flow) as it has been removed for [OAuth 2.1](https://oauth.net/2.1/).
Beginning in 14.0, new applications can't be created with the OAuth 2 implicit grant flow. Existing OAuth implicit grant flows are no longer supported in 14.4. Migrate your existing applications to other supported [OAuth2 flows](https://docs.gitlab.com/ee/api/oauth2.html#supported-oauth2-flows) before release 14.4. Migrate your existing applications to other supported [OAuth2 flows](https://docs.gitlab.com/ee/api/oauth2.html#supported-oauth2-flows).
### GitLab Runner helper image in GitLab.com Container Registry ### GitLab Runner helper image in GitLab.com Container Registry
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment