Merge branch 'eread/refine-implicit-grant-deprecation' into 'master'

Refine information around OAuth implicit grant deprecation See merge request gitlab-org/gitlab!79392

Merge branch 'eread/refine-implicit-grant-deprecation' into 'master'
Refine information around OAuth implicit grant deprecation See merge request gitlab-org/gitlab!79392
b4ea47b8 · Russell Dickenson · 18df9dfe · 57e2ff1f · b4ea47b8 · b4ea47b8
Commit b4ea47b8 authored Jan 31, 2022 by Russell Dickenson
Showing with 10 additions and 16 deletions

data/removals/14_0/deprecation_manage_access_14_0.yml data/removals/14_0/deprecation_manage_access_14_0.yml +2 -2

doc/api/oauth2.md doc/api/oauth2.md +6 -12

doc/update/removals.md doc/update/removals.md +2 -2

No files found.
--- a/data/removals/14_0/deprecation_manage_access_14_0.yml
+++ b/data/removals/14_0/deprecation_manage_access_14_0.yml
@@ -7,7 +7,7 @@
  body: |
    To improve performance, we are limiting the number of projects returned from the `GET /groups/:id/` API call to 100. A complete list of projects can still be retrieved with the `GET /groups/:id/projects` API call.

- name: "GitLab OAuth implicit grant deprecation"
+- name: "GitLab OAuth implicit grant"
  removal_date: "2021-06-22"
  removal_milestone: "14.0"
  reporter: ogolowinski
@@ -16,4 +16,4 @@
  body: |
    GitLab is deprecating the [OAuth 2 implicit grant flow](https://docs.gitlab.com/ee/api/oauth2.html#implicit-grant-flow) as it has been removed for [OAuth 2.1](https://oauth.net/2.1/).

-    Beginning in 14.0, new applications can't be created with the OAuth 2 implicit grant flow. Existing OAuth implicit grant flows are no longer supported in 14.4. Migrate your existing applications to other supported [OAuth2 flows](https://docs.gitlab.com/ee/api/oauth2.html#supported-oauth2-flows) before release 14.4.
+    Migrate your existing applications to other supported [OAuth2 flows](https://docs.gitlab.com/ee/api/oauth2.html#supported-oauth2-flows).
--- a/doc/api/oauth2.md
+++ b/doc/api/oauth2.md
@@ -32,7 +32,7 @@ GitLab supports the following authorization flows:
  hosted, first-party services. GitLab recommends against use of this flow.

 The draft specification for [OAuth 2.1](https://oauth.net/2.1/) specifically omits both the
-Implicit grant and Resource Owner Password Credentials flows. It will be deprecated in the next OAuth specification version.
+Implicit grant and Resource Owner Password Credentials flows.

 Refer to the [OAuth RFC](https://tools.ietf.org/html/rfc6749) to find out
 how all those flows work and pick the right one for your use case.
@@ -239,19 +239,13 @@ You can now make requests to the API with the access token returned.

 ### Implicit grant flow

-NOTE:
-For a detailed flow diagram, see the [RFC specification](https://tools.ietf.org/html/rfc6749#section-4.2).
-
 WARNING:
 Implicit grant flow is inherently insecure and the IETF has removed it in [OAuth 2.1](https://oauth.net/2.1/).
-For this reason, [support for it is deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/288516).
-In GitLab 14.0, new applications can't be created using it. In GitLab 14.4, support for it is
-scheduled to be removed for existing applications.
+It is [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/288516) for use in GitLab 14.0, and is planned for
+[removal](https://gitlab.com/gitlab-org/gitlab/-/issues/344609) in GitLab 15.0.

-We recommend that you use [Authorization code with PKCE](#authorization-code-with-proof-key-for-code-exchange-pkce) instead. If you choose to use Implicit flow, be sure to verify the
-`application id` (or `client_id`) associated with the access token before granting
-access to the data. To learn more, read
-[Retrieving the token information](#retrieve-the-token-information)).
+We recommend that you use [Authorization code with PKCE](#authorization-code-with-proof-key-for-code-exchange-pkce)
+instead.

 Unlike the authorization code flow, the client receives an `access token`
 immediately as a result of the authorization request. The flow does not use the
@@ -415,7 +409,7 @@ The following is an example response:

 The fields `scopes` and `expires_in_seconds` are included in the response.

-These are aliases for `scope` and `expires_in` respectively, and have been included to
+These fields are aliases for `scope` and `expires_in` respectively, and have been included to
 prevent breaking changes introduced in [doorkeeper 5.0.2](https://github.com/doorkeeper-gem/doorkeeper/wiki/Migration-from-old-versions#from-4x-to-5x).

 Don't rely on these fields as they are slated for removal in a later release.

--- a/doc/update/removals.md
+++ b/doc/update/removals.md
@@ -175,7 +175,7 @@ As [announced in GitLab 13.3](https://about.gitlab.com/releases/2020/08/22/gitla
 - `geo_postgresql['fdw_external_password']`
 - `gitlab-_rails['geo_migrated_local_files_clean_up_worker_cron']`

-### GitLab OAuth implicit grant deprecation
+### GitLab OAuth implicit grant

 WARNING:
 This feature was changed or removed in 14.0
@@ -185,7 +185,7 @@ changes to your code, settings, or workflow.

 GitLab is deprecating the [OAuth 2 implicit grant flow](https://docs.gitlab.com/ee/api/oauth2.html#implicit-grant-flow) as it has been removed for [OAuth 2.1](https://oauth.net/2.1/).

-Beginning in 14.0, new applications can't be created with the OAuth 2 implicit grant flow. Existing OAuth implicit grant flows are no longer supported in 14.4. Migrate your existing applications to other supported [OAuth2 flows](https://docs.gitlab.com/ee/api/oauth2.html#supported-oauth2-flows) before release 14.4.
+Migrate your existing applications to other supported [OAuth2 flows](https://docs.gitlab.com/ee/api/oauth2.html#supported-oauth2-flows).

 ### GitLab Runner helper image in GitLab.com Container Registry