Reduce GitLab oauth's scope from api (full access) to read_user

[alikhajeh1]

Currently the GitLab oauth implementation uses the api scope, which results in users seeing this from GitLab: Full access to GitLab as the user, including read/write on all their groups and projects.

GitLab introduced read_user in version 8.15, which seems better suited for this purpose, the description of the scope is Read-only access to the user's profile information, like username, public email and full name. I think that would make it similar to what Origin does for GitHub.

Version

oc v3.6

[mfojtik]

@alikhajeh1 the "read_user" exists from version 8.15 and up, right? If users deploy lower versions, this will break the auth?

[alikhajeh1]

@mfojtik yeah it was added in 8.15 (so released just over a year ago): https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/5951
Yeah it'll probably break auth for older GL versions so I wonder if https://docs.openshift.org/latest/install_config/configuring_authentication.html#GitLab could have it as a configuration option?

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[enj]

@alikhajeh1 have you tried using GitLab's OIDC support to reduce the scope to openid? See https://trello.com/c/DXntmEOV for details.