Published on: April 1, 2025
2 min read
Improving OAuth ROPC security on GitLab.com
GitLab.com is improving the security of OAuth Resource Owner Password Credentials (ROPC) by requiring client authentication, effective April 8, 2025.
GitLab.com will require client authentication for OAuth Resource Owner Password Credentials (ROPC) beginning on April 8, 2025. ROPC was omitted by the OAuth working group in RFC Version 2.1. Existing ROPC integrations without client credentials will experience service disruption after this date. Please update your integrations to include client credentials before the deadline.
What is changing
GitLab.com is improving the security of OAuth ROPC by requiring client authentication for all requests, effective April 8, 2025. For more details about ROPC and authentication mechanisms, read more in the “Example ROPC Request Types” section of this notice or read about ROPC in the OAuth API GitLab page.
Why this change matters
- Enhanced security: Client authentication provides an additional layer of security by ensuring that only authorized applications can request access tokens.
- Standards compliance: This change brings GitLab's OAuth implementation into alignment with industry best practices and OAuth 2.0 specifications.
- Improved auditing: Client authentication improves application request traceability and monitoring.
Required action
We strongly recommend updating your implementation before April 8, 2025, by following these steps:
- Register your application in GitLab to obtain client credentials:
- Navigate to User Settings > Applications (or register a group or instance OAuth application as desired).
- Create a new application or use an existing one.
- Note the provided
Application ID(client_id) andSecret(client_secret).
- Update your authentication requests to include the client credentials:
- Add the
client_idandclient_secretparameters to your token requests. - Test your implementation in our staging environment.
- Add the
- Review our implementation documentation for detailed guidance:
Example ROPC request types
Detailed examples of authorization requests as documented in the OAuth API GitLab page are listed below.
Insecure ROPC method example:
This insecure ROPC method does not use client authentication, and will not work on GitLab.com after April 8, 2025.
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=password&[email protected]&password=secret
Insecure ROPC JSON method example:
This insecure ROPC method does not use client authentication, and will not work on GitLab.com after April 8, 2025.
POST /oauth/token
Content-Type: application/json
{
"grant_type": "password",
"username": "[email protected]",
"password": "secret"
}
Required method going forward:
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=password&[email protected]&password=secret&client_id=APP_ID&client_secret=APP_SECRET
Required method - JSON example:
POST /oauth/token
Content-Type: application/json
{
"grant_type": "password",
"username": "[email protected]",
"password": "secret",
"client_id": "APP_ID",
"client_secret": "APP_SECRET"
}
Need further guidance?
- Documentation: GitLab OAuth 2.0 Guide
- Support: Contact GitLab Support
- Community Forum: Discuss this change in the GitLab Forum