- Supported OAuth 2.0 flows
- Access GitLab API with
access token - Access Git over HTTPS with
access token - Retrieve the token information
- Revoke a token
- OAuth 2.0 tokens and GitLab registries
OAuth 2.0 identity provider API
GitLab provides an API to allow third-party services to access GitLab resources on a user’s behalf with the To configure GitLab for this, see Configure GitLab as an OAuth 2.0 authentication identity provider.
This functionality is based on the .
GitLab supports the following authorization flows:
The draft specification for Refer to the Both authorization code (with or without PKCE) and implicit grant flows require For a list of scopes in GitLab, see the provider documentation.
To ,
the OAuth specification recommends the use of “One-time use CSRF tokens carried in the state
parameter, which are securely bound to the user agent”, with each request to the
For production, please use HTTPS for your As OAuth 2.0 bases its security entirely on the transport layer, you should not use unprotected
URIs. For more information, see the
and the .
These factors are particularly important when using the
Implicit grant flow, where actual credentials are included in the In the following sections you can find detailed instructions on how to obtain
authorization with each flow.
The The Authorization code with PKCE flow, PKCE for short, makes it possible to securely perform
the OAuth exchange of client credentials for access tokens on public clients without
requiring access to the Client Secret at all. This makes the PKCE flow advantageous
for single page JavaScript applications or other client side apps where keeping secrets
from the user is a technical impossibility.
Before starting the flow, generate the Request authorization code. To do that, you should redirect the user to the
This page asks the user to approve the request from the app to access their
account based on the scopes specified in With the authorization Example response:
To retrieve a new Example response:
You can now make requests to the API with the access token.
The authorization code flow is essentially the same as
authorization code flow with PKCE,
Before starting the flow, generate the Request authorization code. To do that, you should redirect the user to the
This page asks the user to approve the request from the app to access their
account based on the scopes specified in With the authorization Example response:
To retrieve a new Example response:
You can now make requests to the API with the access token returned.
In this flow, a token is requested in exchange for the resource owner credentials
(username and password).
The credentials should only be used when:
Even though this grant type requires direct client access to the resource owner
credentials, the resource owner credentials are used for a single request and
are exchanged for an access token. This grant type can eliminate the need for
the client to store the resource owner credentials for future use, by exchanging
the credentials with a long-lived access token or refresh token.
To request an access token, you must make a POST request to Example cURL request:
You can also use this grant flow with registered OAuth applications, by using
HTTP Basic Authentication with the application’s Then, you receive a response containing the access token:
By default, the scope of the access token is For testing, you can use the We recommend that you use Authorization code with PKCE
instead.
Unlike the authorization code flow, the client receives an To request the access token, you should redirect the user to the
This prompts the user to approve the applications access to their account
based on the scopes specified in The or you can put the token to the Authorization header:
A token with scope
To verify the details of a token, use the You must supply the access token, either:
As a parameter:
In the Authorization header:
The following is an example response:
The fields These fields are aliases for Don’t rely on these fields as they are slated for removal in a later release.
To revoke a token, use the Standard OAuth 2.0 tokens support different degrees of access to GitLab
registries, as they:
If you didn't find what you were looking for,
search the docs.
If you want help with something specific and could use community support,
.
For problems setting up or using this feature (depending on your GitLab
subscription).Supported OAuth 2.0 flows
application to be
registered first via the /profile/applications page in your user’s account.
During registration, by enabling proper scopes, you can limit the range of
resources which the application can access. Upon creation, you obtain the
application credentials: Application ID and Client Secret. The Client Secret
must be kept secure. It is also advantageous to keep the Application ID
secret when your application architecture allows.
Prevent CSRF attacks
/oauth/authorize endpoint. This can prevent
.
Use HTTPS in production
redirect_uri.
For development, GitLab allows insecure HTTP redirect URIs.
redirect_uri.
Authorization code with Proof Key for Code Exchange (PKCE)
STATE, the CODE_VERIFIER and the CODE_CHALLENGE.
STATE a value that can’t be predicted used by the client to maintain
state between the request and callback. It should also be used as a CSRF token.
CODE_VERIFIER is a random string, between 43 and 128 characters in length,
which use the characters A-Z, a-z, 0-9, -, ., _, and ~.
CODE_CHALLENGE is an URL-safe base64-encoded string of the SHA256 hash of the
CODE_VERIFIER
Base64.urlsafe_encode64(Digest::SHA256.digest(CODE_VERIFIER), padding: false).
CODE_VERIFIER string of ks02i3jdikdo2k0dkfodf3m39rjfjsdk0wk349rj3jrhf when hashed
and encoded using the Ruby snippet above produces a CODE_CHALLENGE string
of 2i0WFA-0AerkjQm4X4oDEhqA17QIAKNjXpagHBXmO_U.
/oauth/authorize page with the following query parameters:
https://gitlab.example.com/oauth/authorize?client_id=APP_ID&redirect_uri=REDIRECT_URI&response_type=code&state=STATE&scope=REQUESTED_SCOPES&code_challenge=CODE_CHALLENGE&code_challenge_method=S256
REQUESTED_SCOPES. The user is then
redirected back to the specified REDIRECT_URI. The scope parameter
is a space-separated list of scopes associated with the user.
For example,scope=read_user+profile requests the read_user and profile scopes.
The redirect includes the authorization code, for example:
https://example.com/oauth/redirect?code=1234567890&state=STATE
code returned from the previous request (denoted as
RETURNED_CODE in the following example), you can request an access_token, with
any HTTP client. The following example uses Ruby’s rest-client:
parameters = 'client_id=APP_ID&code=RETURNED_CODE&grant_type=authorization_code&redirect_uri=REDIRECT_URI&code_verifier=CODE_VERIFIER'
RestClient.post 'https://gitlab.example.com/oauth/token', parameters
{
"access_token": "de6780bc506a0446309bd9362820ba8aed28aa506c71eedbe1c5c4f9dd350e54",
"token_type": "bearer",
"expires_in": 7200,
"refresh_token": "8257e65c97202ed1726cf9571600918f3bffb2544b26e00a61df9897668c33a1",
"created_at": 1607635748
}
access_token, use the refresh_token parameter. Refresh tokens may
be used even after the access_token itself expires. This request:
access_token and refresh_token.
parameters = 'client_id=APP_ID&refresh_token=REFRESH_TOKEN&grant_type=refresh_token&redirect_uri=REDIRECT_URI&code_verifier=CODE_VERIFIER'
RestClient.post 'https://gitlab.example.com/oauth/token', parameters
{
"access_token": "c97d1fe52119f38c7f67f0a14db68d60caa35ddc86fd12401718b649dcfa9c68",
"token_type": "bearer",
"expires_in": 7200,
"refresh_token": "803c1fd487fec35562c205dac93e9d8e08f9d3652a24079d704df3039df1158f",
"created_at": 1628711391
}
redirect_uri must match the redirect_uri used in the original
authorization request.Authorization code flow
STATE. It is a value that can’t be predicted
used by the client to maintain state between the request and callback. It should also
be used as a CSRF token.
/oauth/authorize page with the following query parameters:
https://gitlab.example.com/oauth/authorize?client_id=APP_ID&redirect_uri=REDIRECT_URI&response_type=code&state=STATE&scope=REQUESTED_SCOPES
REQUESTED_SCOPES. The user is then
redirected back to the specified REDIRECT_URI. The scope parameter
is a space-separated list of scopes associated with the user.
For example,scope=read_user+profile requests the read_user and profile scopes.
The redirect includes the authorization code, for example:
https://example.com/oauth/redirect?code=1234567890&state=STATE
code returned from the previous request (shown as
RETURNED_CODE in the following example), you can request an access_token, with
any HTTP client. The following example uses Ruby’s rest-client:
parameters = 'client_id=APP_ID&client_secret=APP_SECRET&code=RETURNED_CODE&grant_type=authorization_code&redirect_uri=REDIRECT_URI'
RestClient.post 'https://gitlab.example.com/oauth/token', parameters
{
"access_token": "de6780bc506a0446309bd9362820ba8aed28aa506c71eedbe1c5c4f9dd350e54",
"token_type": "bearer",
"expires_in": 7200,
"refresh_token": "8257e65c97202ed1726cf9571600918f3bffb2544b26e00a61df9897668c33a1",
"created_at": 1607635748
}
access_token, use the refresh_token parameter. Refresh tokens may
be used even after the access_token itself expires. This request:
access_token and refresh_token.
parameters = 'client_id=APP_ID&client_secret=APP_SECRET&refresh_token=REFRESH_TOKEN&grant_type=refresh_token&redirect_uri=REDIRECT_URI'
RestClient.post 'https://gitlab.example.com/oauth/token', parameters
{
"access_token": "c97d1fe52119f38c7f67f0a14db68d60caa35ddc86fd12401718b649dcfa9c68",
"token_type": "bearer",
"expires_in": 7200,
"refresh_token": "803c1fd487fec35562c205dac93e9d8e08f9d3652a24079d704df3039df1158f",
"created_at": 1628711391
}
redirect_uri must match the redirect_uri used in the original
authorization request.Resource owner password credentials flow
/oauth/token with
the following parameters:
{
"grant_type" : "password",
"username" : "user@example.com",
"password" : "secret"
}
echo 'grant_type=password&username=<your_username>&password=<your_password>' > auth.txt
curl --data "@auth.txt" --request POST "https://gitlab.example.com/oauth/token"
client_id and client_secret:
echo 'grant_type=password&username=<your_username>&password=<your_password>' > auth.txt
curl --data "@auth.txt" --user client_id:client_secret \
--request POST "https://gitlab.example.com/oauth/token"
{
"access_token": "1f0af717251950dbd4d73154fdf0a474a5c5119adad999683f5b450c460726aa",
"token_type": "bearer",
"expires_in": 7200
}
api, which provides complete read/write access.
oauth2 Ruby gem:
client = OAuth2::Client.new('the_client_id', 'the_client_secret', :site => "https://example.com")
access_token = client.password.get_token('user@example.com', 'secret')
puts access_token.token
Implicit grant flow (DEPRECATED)
access token
immediately as a result of the authorization request. The flow does not use the
client secret or the authorization code, as the application
code and storage is accessible on client browsers and mobile devices.
/oauth/authorize endpoint using token response type:
https://gitlab.example.com/oauth/authorize?client_id=APP_ID&redirect_uri=REDIRECT_URI&response_type=token&state=YOUR_UNIQUE_STATE_HASH&scope=REQUESTED_SCOPES
REQUESTED_SCOPES and then redirect back to
the REDIRECT_URI you provided. The scope parameter
is a space-separated list of scopes you want to have access to (for example, scope=read_user+profile
would request read_user and profile scopes). The redirect
includes a fragment with access_token as well as token details in GET
parameters, for example:
https://example.com/oauth/redirect#access_token=ABCDExyz123&state=YOUR_UNIQUE_STATE_HASH&token_type=bearer&expires_in=3600
Access GitLab API with
access token
access token allows you to make requests to the API on behalf of a user.
You can pass the token either as GET parameter:
GET https://gitlab.example.com/api/v4/user?access_token=OAUTH-TOKEN
curl --header "Authorization: Bearer OAUTH-TOKEN" "https://gitlab.example.com/api/v4/user"
Access Git over HTTPS with
access token
read_repository or write_repository can access Git over HTTPS. Use the token as the password.
The username must be oauth2, not your username.
Retrieve the token information
token/info endpoint provided by the
Doorkeeper gem. For more information, see
/oauth/token/info.
GET https://gitlab.example.com/oauth/token/info?access_token=<OAUTH-TOKEN>
curl --header "Authorization: Bearer <OAUTH-TOKEN>" "https://gitlab.example.com/oauth/token/info"
{
"resource_owner_id": 1,
"scope": ["api"],
"expires_in": null,
"application": {"uid": "1cb242f495280beb4291e64bee2a17f330902e499882fe8e1e2aa875519cab33"},
"created_at": 1575890427
}
Deprecated fields
scopes and expires_in_seconds are included in the response.
scope and expires_in respectively, and have been included to
prevent breaking changes introduced in .
Revoke a token
revoke endpoint. The API returns a 200 response code and an empty
JSON hash to indicate success.
parameters = 'client_id=APP_ID&client_secret=APP_SECRET&token=TOKEN'
RestClient.post 'https://gitlab.example.com/oauth/revoke', parameters
OAuth 2.0 tokens and GitLab registries
Help & feedback
Docs
Edit this page
to fix an error or add an improvement in a merge request.
Create an issue
to suggest an improvement to this page.
Product
Create an issue
if there's something you don't like about this feature.
Propose functionality
by submitting a feature request.
to help shape new features.
Feature availability and product trials
to see all GitLab tiers and features, or to upgrade.
with access to all features for 30 days.
Get Help