Read API scope support#219
Conversation
|
Not a maintainer, just passing by and wondering: Reducing scopes is a good principle, what is the advantage of using
It might make sense to update the docs: https://github.com/jenkinsci/gitlab-oauth-plugin/blob/master/docs/README.md -- the scope set on GitLab side does not have to be |
You are correct, and that was my original fix; just replacing the hardcoded api scope. That does break any preconfigured api scope token however locking you out of the controller and mandating a cli fix. |
|
Hm, you're right, if I try to login with
This plugin does not manage repository states and does not expose the token to other plugins (AFAIK). The plugins that write to GitLab use separate credentials. Maybe the description should make it clear that the scope you set here should match whatever you've set in GitLab and that |
Updated the description of the OAuth scope and adjusted recommendations.
Cleaned up the word salad to hopefully make it clearer.
Exactly the dilemma I had. The plugin itself has no use of the full scope, any other implementation however could theoretically access the token via |
The documentation update is still needed, it should say that the scope set in GitLab must match the scope in Jenkins settings. Otherwise looks good 👍 |
Co-authored-by: Zbynek Konecny <zbynek1729@gmail.com>
Feature enhancement for #118
Added a scope configuration property replacing hard-coded 'api' to allow customizing the OAuth scopes requested during login.
Added an "OAuth Scope" dropdown menu.
Added a dedicated help.html,
The default choice safely remains api to preserve backwards compatibility.
Testing done
Verified backwards compatibility for api and tested read_api scoped client token by installing the packaged hpi into an existing jenkins controller.
Submitter checklist