TL;DR: GitLab connection handling, token storage, and refresh logic can be moved out of the application and into a managed layer, letting developers request a fresh access token and call the provider API directly, according to WorkOS. That reduces implementation friction, but it also concentrates third-party access governance and secret-handling assumptions in one control point.
At a glance
What this is: This is a tutorial on using WorkOS Pipes to connect GitLab data to an app without building OAuth logic, token storage, or refresh handling yourself.
Why it matters: It matters because IAM teams must govern delegated third-party access, secret handling, and token lifecycle even when application teams no longer implement the OAuth flow directly.
👉 Read WorkOS's tutorial on connecting GitLab through Pipes
Context
GitLab integration becomes an identity governance problem as soon as an application requests user-granted API access on the user's behalf. The hard part is not the API call itself, but the lifecycle of the OAuth token, the scope it carries, and who owns the reauthorization path when access expires or changes.
This tutorial frames a managed token flow for application developers, but the security question for practitioners is broader: where does third-party access live, how is it refreshed, and how do you prove that scopes remain appropriate over time? For teams managing human identity, NHI, and delegated API access together, the control boundary is the token lifecycle rather than the widget UI.
Key questions
Q: How should security teams govern OAuth-based integrations with third-party services?
A: Security teams should govern OAuth integrations like any other delegated identity relationship. That means assigning ownership, limiting scopes to the minimum required, logging issuance and renewal events, and revoking access when the business use case ends. The important control is not just the initial consent screen. It is the full lifecycle of the token and the integration that depends on it.
Q: Why do managed token services still create identity governance risk?
A: Managed token services still create risk because they do not remove delegated access, they centralise it. If scope selection is too broad or renewal is not reviewed, the service can preserve access longer than the original business need. That is why identity governance must focus on entitlement boundaries, ownership, and reauthorization triggers rather than on whether developers wrote OAuth code themselves.
Q: What is the difference between API filtering and least privilege?
A: API filtering limits what results are returned, while least privilege limits what the token can do in the first place. A membership filter may hide irrelevant data, but it does not reduce the granted OAuth scope or stop the token from calling other permitted endpoints. Practitioners should treat filtering as a usability control, not an entitlement control.
Q: When should organisations reauthorise external service connections?
A: Organisations should reauthorise external service connections when the business purpose changes, the user’s role changes, the connected provider changes scope requirements, or the integration has been idle for an extended period. Reauthorisation is the point where governance can confirm that the access still matches the current need. Without it, delegated credentials can persist well beyond their intended use.
Technical breakdown
Managed OAuth token flow for third-party app access
A managed OAuth flow separates user consent, token issuance, and token refresh from the application code. In this pattern, the app asks a service for a valid provider token when it needs to call an API, rather than holding refresh logic itself. That reduces custom auth code, but it also means the intermediary becomes part of the trust chain. The application still depends on scope choice, token validity, and secure backend handling of the returned credential. For identity teams, the governance question is who can request access, who can reauthorize it, and where the control point sits when provider access changes.
Practical implication: treat the token broker as an identity control surface and review how access is requested, issued, and renewed.
Why token expiry and refresh change the security model
Token expiry is not just a reliability detail. It defines how long a delegated credential remains usable and whether the application or a platform service is responsible for renewal. When refresh is automated, the main risk shifts from manual storage mistakes to overbroad or long-lived delegated access that stays valid without recurring human review. That is especially important when the application can call multiple provider APIs from the same integration pattern. The governance issue is not whether refresh exists, but whether refresh creates an access path that outlives the business reason for granting it.
Practical implication: align token lifetime and reauthorization triggers with the business purpose of the integration, not with developer convenience.
Scope selection and delegated access boundaries in GitLab
OAuth scopes determine what the connected app can do, and in GitLab that boundary matters because read_api and api represent very different risk profiles. Read scopes limit the blast radius to data retrieval, while broader scopes can extend into code changes and repository operations. The article also highlights provider-specific query filtering, such as membership-based project listing, which narrows what the application retrieves but does not change the underlying token power. Practitioners should separate API filtering from authorization scope, because filtering controls output, not entitlement.
Practical implication: review scopes as the real entitlement boundary and do not confuse query filters with least privilege.
NHI Mgmt Group analysis
Managed OAuth does not remove identity risk, it relocates it. Workflows that push OAuth handling into a platform still depend on delegated third-party access, scope discipline, and secure token handling. The governance burden moves from application code to platform configuration and lifecycle oversight. That means IAM and security teams must still know who can connect services, what each scope allows, and when access should be revoked or reauthorized. The practitioner conclusion is simple: abstraction reduces engineering effort, not accountability.
Token lifecycle ownership has become the real control plane for SaaS integrations. Once applications request fresh access tokens from a broker, the security question is no longer whether developers stored refresh tokens correctly. The question becomes who governs issuance, renewal, and invalidation across users, organizations, and providers. This is a lifecycle issue as much as a technical one, and it spans human identity, delegated access, and NHI-style credential handling. Teams should treat token lifecycle events as first-class identity events.
Read scopes are not harmless by default, because delegated data access can still create sensitive exposure paths. Even a read-only integration can expose project metadata, account structure, and workflow patterns that attackers use for reconnaissance. The risk is not only what the token can change, but what it can reveal at scale. For identity programmes, that means access governance must consider data visibility, not just write privilege. The practical conclusion is that scope minimisation and data-minimisation need to be assessed together.
Identity governance for integrations is moving from single-app review to ecosystem review. A modern application may connect to GitLab, Slack, Salesforce, and other providers through the same pattern, which means the control problem is no longer one-off OAuth setup. It is a repeatable trust relationship that can spread across many services and teams. That expansion makes access reviews, consent logging, and offboarding more important, not less. Practitioners should plan for integration sprawl as part of IAM and NHI governance.
From our research:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- For a broader control baseline, see Ultimate Guide to NHIs for the lifecycle and governance patterns behind delegated access.
What this signals
Delegated access is becoming an identity governance category of its own. As more application teams hide OAuth complexity behind managed services, security leaders will need inventory, ownership, and revocation models that span SaaS integrations, not just internal workloads. The operational signal is clear: integration count is rising faster than governance maturity, and the gap will show up first in offboarding and consent review.
Managed abstractions will not reduce review burden unless the organisation changes its control model. The next maturity step is to treat token issuance, reauthorization, and provider scope drift as routine identity events. That is where OWASP Non-Human Identity Top 10 becomes useful as a control lens, because delegated access risk is still ultimately a non-human identity problem.
Scope creep in integration layers creates a quiet blast-radius problem. When one service can reach multiple external systems, a single broken ownership path can turn into broad exposure across GitLab, Salesforce, Slack, or similar providers. The programme response is to make consent, renewal, and offboarding visible enough to audit before the integration ecosystem outgrows manual review.
For practitioners
- Map delegated integration ownership Assign a business owner and technical owner for every external service connection, including who approves scopes, who reviews renewal events, and who disables the integration when the use case ends.
- Review OAuth scopes as entitlements Treat provider scopes as access entitlements that need documented justification, periodic review, and revocation criteria, especially when one token can reach multiple API endpoints.
- Separate output filtering from authorization Validate that query parameters such as membership filters do not create a false sense of least privilege, because the underlying token still carries the granted scope.
- Log token issuance and reauthorization events Capture when a user connects, reconnects, or loses access to an integration so identity and security teams can reconcile delegated access with account lifecycle changes.
Key takeaways
- Managed OAuth platforms reduce implementation effort, but they do not remove the governance burden around delegated third-party access.
- Token lifetime, scope selection, and ownership are the controls that determine whether a third-party integration remains proportionate to its business need.
- Identity teams should review external service connections as lifecycle-managed entitlements, not as one-time developer setup tasks.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | OAuth token lifecycle and refresh handling are central to delegated access governance. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access for connected services aligns with access management expectations. |
| NIST Zero Trust (SP 800-207) | PR.AA | The pattern depends on continuous verification of access to external systems. |
Map external integration scopes to access entitlements and recertify them on a defined cadence.
Key terms
- Delegated Access: Delegated access is a permission relationship where one system acts on behalf of a user or organisation against a third-party service. It is common in OAuth-based integrations and must be governed like any other identity, because the delegated credential can outlive the original business justification.
- OAuth Scope: An OAuth scope is the permission boundary attached to an access token. It defines which actions or data the connected application can reach, and it should be reviewed as an entitlement, not treated as a technical detail hidden behind an integration widget.
- Token Broker: A token broker is a service that issues, refreshes, or mediates access tokens on behalf of an application. It simplifies implementation, but it also becomes part of the trust chain, so organisations must define ownership, logging, renewal policy, and revocation responsibilities.
- Integration Offboarding: Integration offboarding is the process of removing access, credentials, and consent when a connected service is no longer needed. For OAuth-based integrations, this means revoking tokens, disabling connections, and confirming that any downstream data access has also stopped.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by WorkOS: Connect your app to GitLab without building OAuth. Read the original.
Published by the NHIMG editorial team on 2026-03-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
