Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
141fa401
Commit
141fa401
authored
Feb 14, 2022
by
Ben Yanke
Committed by
Evan Read
Feb 14, 2022
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix Oauth 2.0 PKCE Flow Documentation
parent
9870ee7a
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
10 additions
and
5 deletions
+10
-5
doc/api/oauth2.md
doc/api/oauth2.md
+10
-5
No files found.
doc/api/oauth2.md
View file @
141fa401
...
...
@@ -41,7 +41,9 @@ Both **authorization code** (with or without PKCE) and **implicit grant** flows
registered first via the
`/profile/applications`
page in your user's account.
During registration, by enabling proper scopes, you can limit the range of
resources which the
`application`
can access. Upon creation, you obtain the
`application`
credentials: _Application ID_ and _Client Secret_ -
**keep them secure**
.
`application`
credentials: _Application ID_ and _Client Secret_. The _Client Secret_
**must be kept secure**
. It is also advantageous to keep the _Application ID_
secret when your application architecture allows.
For a list of scopes in GitLab, see
[
the provider documentation
](
../integration/oauth_provider.md#authorized-applications
)
.
...
...
@@ -74,7 +76,10 @@ detailed flow description, from authorization request through access token.
The following steps describe our implementation of the flow.
The Authorization code with PKCE flow, PKCE for short, makes it possible to securely perform
the OAuth exchange of client credentials for access tokens on public clients.
the OAuth exchange of client credentials for access tokens on public clients without
requiring access to the _Client Secret_ at all. This makes the PKCE flow advantageous
for single page JavaScript applications or other client side apps where keeping secrets
from the user is a technical impossibility.
Before starting the flow, generate the
`STATE`
, the
`CODE_VERIFIER`
and the
`CODE_CHALLENGE`
.
...
...
@@ -113,7 +118,7 @@ Before starting the flow, generate the `STATE`, the `CODE_VERIFIER` and the `COD
any HTTP client. The following example uses Ruby's
`rest-client`
:
```
ruby
parameters
=
'client_id=APP_ID&c
lient_secret=APP_SECRET&c
ode=RETURNED_CODE&grant_type=authorization_code&redirect_uri=REDIRECT_URI&code_verifier=CODE_VERIFIER'
parameters
=
'client_id=APP_ID&code=RETURNED_CODE&grant_type=authorization_code&redirect_uri=REDIRECT_URI&code_verifier=CODE_VERIFIER'
RestClient
.
post
'https://gitlab.example.com/oauth/token'
,
parameters
```
...
...
@@ -135,7 +140,7 @@ Before starting the flow, generate the `STATE`, the `CODE_VERIFIER` and the `COD
-
Sends new tokens in the response.
```
ruby
parameters
=
'client_id=APP_ID&
client_secret=APP_SECRET&
refresh_token=REFRESH_TOKEN&grant_type=refresh_token&redirect_uri=REDIRECT_URI&code_verifier=CODE_VERIFIER'
parameters
=
'client_id=APP_ID&refresh_token=REFRESH_TOKEN&grant_type=refresh_token&redirect_uri=REDIRECT_URI&code_verifier=CODE_VERIFIER'
RestClient
.
post
'https://gitlab.example.com/oauth/token'
,
parameters
```
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
