GitLab auth uses full name instead of username as user ID, allowing impersonation
Installations which use the GitLab auth connector are vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another GitLab user who is granted access to a Concourse team by having their full name listed under users in the team configuration or given to the –gitlab-user flag. See the GitLab auth docs for details. Concourse installations which do not configure the GitLab auth …