Prefix SCIM tokens
Release notes
GitLab SCIM tokens will be prefixed with glsoat-
to enable secret detection if this credential is leaked.
Context
GitLab has been adding prefixes to many of its authentication tokens, see Prefix all authentication tokens for easier det... (&8923) and https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/482+
We should prefix SCIM tokens.
- An instance can have a SCIM token, and each EE Group can have one.
- There are group level SCIM endpoints, internal Group SCIM endpoints, and internal instance level SCIM endpoints.
-
https://docs.gitlab.com/ee/api/scim.html
- "The GitLab SCIM API manages SCIM identities within groups and provides the /groups/:groups_id/scim/identities and /groups/:groups_id/scim/:uid endpoints. The base URL is <http|https>:///api/v4."
-
https://docs.gitlab.com/ee/development/internal_api/index.html#group-scim-api
- "The group SCIM API partially implements the RFC7644 protocol. This API provides the /groups/:group_path/Users and /groups/:group_path/Users/:id endpoints. The base URL is <http|https>:///api/scim/v2"
-
https://docs.gitlab.com/ee/development/internal_api/index.html#instance-scim-api
- "This API provides the /application/Users and /application/Users/:id endpoints. The base URL is <http|https>:///api/scim/v2."
So updating the model to have a prefix would cover all three of those endpoints.
Problem to solve
- SCIM tokens live indefinitely
- SCIM tokens are used to authorize requests against the GitLab API
- If leaked, SCIM tokens allow read and update of users which can, for example, lead to account takeover. (Update the user's email from
original
toattacker@example.com
, do a password reset, and you're in). - SCIM tokens are 20 random characters, so are difficult to detect
Proposal
-
Decide on a prefix, e.g. glsoat-
, for theScimOauthAccessToken#token
authentication field- I validated none of GitLab's existing prefixes use this;
gloas
is similar though. - The current value is
Devise.friendly_token
which is[a-zA-Z0-9-_]{20}
:- any downstream systems (i.e. not GitLab) accepting those characters should be able to accept
glsoat-
; - the only thing that might break is if something downstream expects only 20 chars, whereas it'll now be 27 total.
- any downstream systems (i.e. not GitLab) accepting those characters should be able to accept
-
Consider whether group SCIM tokens should have a different prefix to instance SCIM tokens
- I validated none of GitLab's existing prefixes use this;
-
Follow the pattern established when updating other tokens
Downstream systems
- https://help.trelica.com/hc/en-us/articles/7739222824733-GitLab
- https://jumpcloud.com/support/integrate-with-gitlab#configuring-the-identity-management-integration
- Likely many others, integrating with our SCIM APIs
Intended users
Feature Usage Metrics
Does this feature require an audit event?
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.