Add endpoint to get Workspaces HTTP Server configuration at startup

MR: Add endpoint to get OAuth configuration for Wor... (!194652 - merged) • Chad Woolley • 18.4

Description

All workspaces traffic handled by the HTTP Server in GitLab Workspaces Proxy needs to authenticated and authorized. This requires an OAuth redirect to first authenticate the user. This requires the OAuth Client ID. This issue is to create the endpoint in Rails which will expose the workspaces http server configuration. This endpoint will be called when the HTTP Server is starting in GitLab Agent Server. This endpoint will lazily create the OAuth application and return the client id and redirect_url of the OAuth application(similar to WebIDE) and the api_external_url(kas_external_url + /workspaces).

The OAuth application will a scope of openid. It's redirect_uri will be api_external_url + /oauth/redirect.

Acceptance criteria

API endpoint exists
Oauth application is lazily/automatically created by the endpoint
If admin edits the oauth app properties, they will be automatically fixed on the next request.
Use the existing Applications::CreateService service to create the OAuth application, do not create it directly. See details in this summary thread.
(out of scope) ~~OAuth admin page has warning and ability to restore default config, similar to web IDE (Prevent admin Web IDE OAuth app misconfigurations (!157093 - merged) • Cindy Halim • 17.3)~~ - Since we automatically update the properties if they are changed, this is less of a priority. TODO: Create follow-up issue for this.

Implementation plan

NOTE: The final implementation of this is likely to change based on how we end up handling OAuth apps in Cells, but since that is still being determined, and we need to unblock other work, we are proceeding with this implementation for now.

See this comment for a detailed summary and reasoning for the implementation used for now.

API Endpoint

This will be a REST endpoint, at internal/agents/agentw/server_config

This will be similar to the lib/api/internal/kubernetes.rb API endpoints.

Authentication for this is handled by the existing KAS authentication mechanism. See the call to authenticate_gitlab_kas_request! in lib/api/internal/kubernetes.rb.

Automatic creation of OAuth application

This will be very similar to the Web IDE implementation of the automatically-created OAuth app. See relevant files for Web IDE:

lib/web_ide/default_oauth_application.rb
config/routes.rb, see oauth-related routes under scope :ide
app/controllers/ide_controller.rb, #ensure_web_ide_oauth_application!

  def ensure_web_ide_oauth_application!
    ::WebIde::DefaultOauthApplication.ensure_oauth_application!
  end

Docs: https://docs.gitlab.com/user/project/web_ide/#update-the-oauth-callback-url

Creation of OAuth App

We will use the existing Applications::CreateService service to create the OAuth application.

We will not create it directly. See details in this summary thread.

Protection of OAuth settings

We will add reset support for the resetting the settings of the cell-level OAuth app.

Note that since we are doing this automatic resetting, this issue does not include the GUI warning like the Web IDE does:

This can be a follow-up issue to add the GUI warning, but it should not block this issue to get the workspaces oauth app introduced, which is a high priority and blocking multiple other issues.

Redirect

The protocol/host/port of the redirect will be based on the existing gitlab_kas_external_url setting, which points to the KAS instance. The path of the redirect will be "oauth/redirect

References on cells-related changes to OAuth

Edited Aug 29, 2025 by Chad Woolley