Clarify that Group and SCIM APIs don't use the internal API auth header
What does this MR do and why?
It was unclear to me why there were two SCIM APIs listed as "internal" which are externally-facing and publicly accessible.
-
At the top of this documentation it says "The internal API is used by different GitLab components, it cannot be used by other consumers". This is not true for the SCIM APIs - they are intended to be used by SCIM-compliant integrations like Okta Azure.
-
It also says at the top that "These methods are all authenticated using a shared secret. This secret is stored in a file at the path configured in config/gitlab.yml by default this is in the root of the rails app named .gitlab_shell_secret". This is not true for the SCIM APIs either: they only require an applicable Group or Instance SCIM token.
The intent of having the APIs on the internal page is that they are not intended for consumption like our REST or GraphQL APIs. As long as any change we make is compliance with the RFC GitLab might make that change, even if it could be perceived as a "breaking" change.
This MR adds a note to each SCIM API to state that #2 is not true for them. The existing content does a good job warning people off using them like a normal API endpoint IMO.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.