Draft: Document GitLab Pages automatically added as trusted application
What does this MR do?
This MR attempts to document the fact that GitLab Pages can appear as a trusted application in https://gitlab.com/-/profile/applications, even though the user didn't authorise it directly themselves.
There was n internal discussion that lead to this:
@markrian I spotted that I did have a GitLab Pages app, which was authorised about an hour ago. I definitely didn't authorise anything in the last hour. As a precaution, I revoked it, but I have no idea how it got there. Is it perhaps just how GitLab Pages works, or something...?
@lienvdsteen same for me! also revoked it and i was like oh no was this a test by security to see if I would just click any link (edited)
@joernchen AFAIK the Gitlab pages app is used internally to grant access to protected pages sites. It should be a trusted application which will not show the authorization step but automatically approve
@joernchen https://docs.gitlab.com/ee/integration/oauth_provider.html#instance-wide-applications < see here
@markrian Well, that's a relief! Still, it's a little bit scary. Should this be documented explicitly, perhaps? That is, that GitLab has some hard-coded, pre-trusted apps, like GitLab Pages? (edited)
@joernchen Good point. I think the most usable thing would be section somewhere under https://gitlab.com/help/instance_configuration to show the trusted oauth apps
Notes
This general problem is already discussed to some degree in #229792 and #8081.
It was initially suggested by @joernchen to document this in https://gitlab.com/help/instance_configuration#gitlab-pages, but looking further into this, I'm not sure that's the right place, since trusting GitLab Pages seems to be dynamic, per-user behaviour rather instance-wide.
As far as I can tell, there's one brief mention of a possible link between GitLab Pages and trusted applications.
Screenshots (strongly suggested)
n/a
Does this MR meet the acceptance criteria?
Conformity
-
📋 Does this MR need a changelog?-
I have included a changelog entry. -
I have not included a changelog entry because _____.
-
-
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team