Draft: Implement shadow user PoC (!168559) · Merge requests · GitLab.org / GitLab

Grzegorz Bizon requested to merge feature/gb/oauth-shadow-accounts-poc into master Oct 08, 2024

What does this MR do and why?

This MR shows a Proof-of-Concept for shadow accounts (scope user account) on GitLab.

This could be used by an AI Agent to authenticate against GitLab APIs, in a way that the identity of the agent will be tied to a service account, but the access permissions will be scoped down to a "scope user" (we renamed "shadow account" to "scope user" to avoid confusion).

This could allow us to have @duo service account in GitLab, but if someone requests an action from Duo, Dou would not impersonate them, but instead would use its own service account and will be granted access based on intersection of a scope user permissions and service account permissions:

can?(duo_service_account, :read_project, project) && can?(scope_user, :read_project, project)

/cc @stanhu @ifarkas @jessieay

Edited Oct 11, 2024 by Grzegorz Bizon

Draft: Implement shadow user PoC

What does this MR do and why?

Merge request reports