Enhancing OAuth ROPC Security on GitLab.com
In an effort to further protect users and improve authentication security, GitLab.com has updated the use of the OAuth 2.0 Resource Owner Password Credentials (ROPC) grant. Beginning from 15 May 2025, ROPC grant flows will be disabled by default for newly created applications. This step aligns GitLab with industry best practices and significantly reduces the attack surface associated with sensitive user credentials.
The ROPC flow is generally discouraged due to its inherent risks — primarily because it requires users to share their passwords directly with clients. While GitLab previously allowed ROPC for specific trusted use cases such as CI systems, misuse potential remains a critical concern. Existing applications that currently use ROPC can continue to do so unless manually disabled or GitLab enforces policy changes later.
For developers who require credential-based access, GitLab recommends switching to more secure OAuth flows such as the authorization code flow or using Personal Access Tokens (PATs). Additionally, developers can manage tokens and refresh flows with fine-grained access control and expiration policies for better governance.
GitLab's change reflects a broader commitment to improving trust and securing user data across all stages of the software development lifecycle.
If your organisation requires support adapting to this change or wants to implement best-in-class security policies with GitLab, our team at IDEA GitLab Solutions is here to help. We provide expert GitLab consulting, enterprise licensing, and implementation services across the Czech Republic, Slovakia, Croatia, Serbia, Slovenia, Macedonia, the United Kingdom, and remotely in Israel, South Africa, and Paraguay.