Commit graph

7 commits

Author SHA1 Message Date
Hassan Zamani
583ef9458c
Add groups to OpenID Connect claims 2018-02-08 13:22:41 +01:00
Douwe Maan
ab1f3b47a8 Merge branch '32059-fix-oauth-phishing' into 'security-10-1'
Prevent OAuth phishing attack by presenting detailed wording about app to user during authorization

See merge request gitlab/gitlabhq!2205
2017-11-10 16:26:53 +08:00
Douwe Maan
3f24f9ed18 Add sudo API scope 2017-11-02 11:39:03 +01:00
Markus Koller
c498289048 Implement OpenID Connect identity provider 2017-03-07 14:54:35 +01:00
Timothy Andrew
7fa06ed55d Calls to the API are checked for scope.
- Move the `Oauth2::AccessTokenValidationService` class to
  `AccessTokenValidationService`, since it is now being used for
  personal access token validation as well.

- Each API endpoint declares the scopes it accepts (if any). Currently,
  the top level API module declares the `api` scope, and the `Users` API
  module declares the `read_user` scope (for GET requests).

- Move the `find_user_by_private_token` from the API `Helpers` module to
  the `APIGuard` module, to avoid littering `Helpers` with more
  auth-related methods to support `find_user_by_private_token`
2016-12-16 16:29:31 +05:30
Douwe Maan
0c4653e101 Improve OAuth application flash messages. 2015-05-13 09:41:56 +02:00
Valery Sizov
e41dadcb33 Doorkeeper integration 2014-12-24 15:38:07 +02:00