Menu
I am connecting my GitLab account to PyCharm and while creating the token access in GitLab, I was uncertain what are the practical uses.
I am very new to this so if someone can dumb this down, that would be appreciated.
262
asked Oct 28 '25 11:10
The idea is to:
As illustrated here, if you intend to use a PAT as your GitLab password, you would need the "api" scope.
If not, "read_repository" or (if you don't need to clone) "read_user" is enough.
"read_registry" is only needed if your GitLab host docker images as a docker registry.
What I don't understand is it allows me to select all at once
That is because each scope matches a distinct use case, possibly covered by another scope.
By selecting them all, you cover all the use cases:
api covers everything (which is too much, as illustrated by issue 20440. GitLab 12.10, Apr. 2020, should fix that with merge request 28944 and a read_api scope)write (since GitLab 1.11, May 2019): "Repository read-write scope for personal access tokens".read_users and registry each address a distinct scenarioAs mentioned in gitlab-ce/merge_request 5951:
I would want us to (eventually) have separate scopes for
read_userandwrite_user, for example.I've looked at the OpenID Connect Core spec - it defines the profile, email, address, and phone scopes, which need to be accompanied by the openid scope.
Since we can have multiple allowable scopes for a given resource, my preference would be to leave the
read_userscope here, and add in the openid and profile scopes whenever we're implementing OpenID compliance.
The presence of other scopes (likeread_userandwrite_user) shouldn't affect the OpenID flow.
146
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
