Blog Product Improving OAuth ROPC security on GitLab.com
Published on: April 1, 2025
3 min read

Improving OAuth ROPC security on GitLab.com

GitLab.com is improving the security of OAuth Resource Owner Password Credentials (ROPC) by requiring client authentication, effective April 8, 2025.

security team - cover
Fallback image GitLab Security Team
productsecurityDevSecOps platform

GitLab.com will require client authentication for OAuth Resource Owner Password Credentials (ROPC) beginning on April 8, 2025. ROPC was omitted by the OAuth working group in RFC Version 2.1. Existing ROPC integrations without client credentials will experience service disruption after this date. Please update your integrations to include client credentials before the deadline.

What is changing

GitLab.com is improving the security of OAuth ROPC by requiring client authentication for all requests, effective April 8, 2025. For more details about ROPC and authentication mechanisms, read more in the “Example ROPC Request Types” section of this notice or read about ROPC in the OAuth API GitLab page.

Why this change matters

  • Enhanced security: Client authentication provides an additional layer of security by ensuring that only authorized applications can request access tokens.
  • Standards compliance: This change brings GitLab's OAuth implementation into alignment with industry best practices and OAuth 2.0 specifications.
  • Improved auditing: Client authentication improves application request traceability and monitoring.

Required action

We strongly recommend updating your implementation before April 8, 2025, by following these steps:

  1. Register your application in GitLab to obtain client credentials:
    • Navigate to User Settings > Applications (or register a group or instance OAuth application as desired).
    • Create a new application or use an existing one.
    • Note the provided Application ID (client_id) and Secret (client_secret).
  2. Update your authentication requests to include the client credentials:
    • Add the client_id and client_secret parameters to your token requests.
    • Test your implementation in our staging environment.
  3. Review our implementation documentation for detailed guidance:

Example ROPC request types

Detailed examples of authorization requests as documented in the OAuth API GitLab page are listed below.

Insecure ROPC method example:

This insecure ROPC method does not use client authentication, and will not work on GitLab.com after April 8, 2025.

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

[email protected]&password=secret

Insecure ROPC JSON method example:

This insecure ROPC method does not use client authentication, and will not work on GitLab.com after April 8, 2025.

POST /oauth/token
Content-Type: application/json
{
  "grant_type": "password",
  "username": "[email protected]",
  "password": "secret"
}

Required method going forward:

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

[email protected]&password=secret&client_id=APP_ID&client_secret=APP_SECRET

Required method - JSON example:

POST /oauth/token
Content-Type: application/json

{
  "grant_type": "password",
  "username": "[email protected]",
  "password": "secret",
  "client_id": "APP_ID",
  "client_secret": "APP_SECRET"
}

Need further guidance?

More to explore

View all blog posts
Product
checkmark-cover

A guide to the breaking changes in GitLab 18.0

Product
magnifying glass laptop - cover - testing

More granular product usage insights for GitLab Self-Managed and Dedicated

Product
Getting started with GitLab cover

Automating Agile workflows with the gitlab-triage gem

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert