gitlaboauth: Allow configuring a different api scope

CHANGELOG.md

@@ -18,6 +18,7 @@ All notable changes to Sourcegraph are documented in this file.
 - More rules have been added to the search query validation so that user get faster feedback on issues with their query. [#24747](https://github.com/sourcegraph/sourcegraph/pull/24747)
 - Bloom filters have been added to the zoekt indexing backend to accelerate queries with code fragments matching `\w{4,}`. [zoekt#126](https://github.com/sourcegraph/zoekt/pull/126)
 - For short search queries containing no filters but the name of a supported programming language we are now suggesting to run the query with a language filter. [#25792](https://github.com/sourcegraph/sourcegraph/pull/25792)
+- The API scope used by GitLab OAuth can now optionally be configured in the provider. [#26152](https://github.com/sourcegraph/sourcegraph/pull/26152)
 
 ### Changed
 

enterprise/cmd/frontend/internal/auth/gitlaboauth/config_test.go

@@ -72,6 +72,41 @@ func TestParseConfig(t *testing.T) {
 				}),
 			},
 		},
+		{
+			name: "1 GitLab.com config with scope override",
+			args: args{cfg: &conf.Unified{SiteConfiguration: schema.SiteConfiguration{
+				ExternalURL: "https://sourcegraph.example.com",
+				AuthProviders: []schema.AuthProviders{{
+					Gitlab: &schema.GitLabAuthProvider{
+						ApiScope:     "read_api",
+						ClientID:     "my-client-id",
+						ClientSecret: "my-client-secret",
+						DisplayName:  "GitLab",
+						Type:         extsvc.TypeGitLab,
+						Url:          "https://gitlab.com",
+					},
+				}},
+			}}},
+			wantProviders: map[schema.GitLabAuthProvider]providers.Provider{
+				{
+					ApiScope:     "read_api",
+					ClientID:     "my-client-id",
+					ClientSecret: "my-client-secret",
+					DisplayName:  "GitLab",
+					Type:         extsvc.TypeGitLab,
+					Url:          "https://gitlab.com",
+				}: provider("https://gitlab.com/", oauth2.Config{
+					RedirectURL:  "https://sourcegraph.example.com/.auth/gitlab/callback",
+					ClientID:     "my-client-id",
+					ClientSecret: "my-client-secret",
+					Endpoint: oauth2.Endpoint{
+						AuthURL:  "https://gitlab.com/oauth/authorize",
+						TokenURL: "https://gitlab.com/oauth/token",
+					},
+					Scopes: []string{"read_user", "read_api"},
+				}),
+			},
+		},
 		{
 			name:   "1 GitLab.com config, Sourcegraph.com",
 			dotcom: true,

enterprise/cmd/frontend/internal/auth/gitlaboauth/provider.go

@@ -37,7 +37,7 @@ func parseProvider(db dbutil.DB, callbackURL string, p *schema.GitLabAuthProvide
 				RedirectURL:  callbackURL,
 				ClientID:     p.ClientID,
 				ClientSecret: p.ClientSecret,
-				Scopes:       requestedScopes(extraScopes),
+				Scopes:       requestedScopes(p.ApiScope, extraScopes),
 				Endpoint: oauth2.Endpoint{
 					AuthURL:  codeHost.BaseURL.ResolveReference(&url.URL{Path: "/oauth/authorize"}).String(),
 					TokenURL: codeHost.BaseURL.ResolveReference(&url.URL{Path: "/oauth/token"}).String(),
@@ -76,14 +76,19 @@ func getStateConfig() gologin.CookieConfig {
 	return cfg
 }
 
-func requestedScopes(extraScopes []string) []string {
+func requestedScopes(defaultAPIScope string, extraScopes []string) []string {
 	scopes := []string{"read_user"}
+	if defaultAPIScope == "" {
+		defaultAPIScope = "api"
+	}
 	if envvar.SourcegraphDotComMode() {
 		// By default, request `read_api`. User's who are allowed to add private code
 		// will request full `api` access via extraScopes.
 		scopes = append(scopes, "read_api")
 	} else {
-		scopes = append(scopes, "api")
+		// For customer instances we default to api scope so that they can clone private
+		// repos but in they can optionally override this in config.
+		scopes = append(scopes, defaultAPIScope)
 	}
 	// Append extra scopes and ensure there are no duplicates
 	for _, s := range extraScopes {

schema/site.schema.json

@@ -1377,7 +1377,13 @@
           "type": "string",
           "description": "The Client Secret of the GitLab OAuth app, accessible from https://gitlab.com/oauth/applications (or the same path on your private GitLab instance)."
         },
-        "displayName": { "$ref": "#/definitions/AuthProviderCommon/properties/displayName" }
+        "displayName": { "$ref": "#/definitions/AuthProviderCommon/properties/displayName" },
+        "apiScope": {
+          "type": "string",
+          "description": "The OAuth api scope that should be used",
+          "default": "api",
+          "enum": ["api", "read_api"]
+        }
       }
     },
     "AuthProviderCommon": {