Merge pull request #2953 from molnarpe/omniauth-oidc

Add support for Omniauth OpenID Connect login.

README.md

@@ -46,6 +46,7 @@
         - [Crowd](#crowd)
         - [Microsoft Azure](#microsoft-azure)
         - [Generic OAuth2](#Generic-OAuth2)
+        - [OpenID Connect](#openid-connect)
     - [Gitlab Pages](#gitlab-pages)
     - [External Issue Trackers](#external-issue-trackers)
     - [Host UID / GID Mapping](#host-uid--gid-mapping)
@@ -725,6 +726,30 @@ As an example this code has been tested with Keycloak, with the following variab
 
 See [GitLab documentation](https://docs.gitlab.com/ee/integration/oauth2_generic.html#sign-into-gitlab-with-almost-any-oauth2-provider) and [Omniauth-oauth2-generic documentation](https://gitlab.com/satorix/omniauth-oauth2-generic) for more details.
 
+##### OpenID Connect
+
+To enable OpenID Connect provider, you must register your application with your provider. You also need to confirm OpenID Connect provider app's ID and secret, the client options and the user's response structure.
+
+To use OIDC set at least `OAUTH_OIDC_ISSUER` and `OAUTH_OIDC_CLIENT_ID`.
+
+| GitLab setting                 | environment variable                | default value                  |
+|--------------------------------|-------------------------------------|--------------------------------|
+| `label`                        | `OAUTH_OIDC_LABEL`                  | `OpenID Connect`               |
+| `icon`                         | `OAUTH_OIDC_ICON`                   |                                |
+| `scope`                        | `OAUTH_OIDC_SCOPE`                  | `['openid','profile','email']` |
+| `response_type`                | `OAUTH_OIDC_RESPONSE_TYPE`          | `code`                         |
+| `issuer`                       | `OAUTH_OIDC_ISSUER`                 |                                |
+| `discovery`                    | `OAUTH_OIDC_DISCOVERY`              | `true`                         |
+| `client_auth_method`           | `OAUTH_OIDC_CLIENT_AUTH_METHOD`     | `basic`                        |
+| `uid_field`                    | `OAUTH_OIDC_UID_FIELD`              | `sub`                          |
+| `send_scope_to_token_endpoint` | `OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP` | `false`                        |
+| `pkce`                         | `OAUTH_OIDC_PKCE`                   | `true`                         |
+| `client_options.identifier`    | `OAUTH_OIDC_CLIENT_ID`              |                                |
+| `client_options.secret`        | `OAUTH_OIDC_CLIENT_SECRET`          | `secret`                       |
+| `client_options.redirect_uri`  | `OAUTH_OIDC_REDIRECT_URI`           | `http://${GITLAB_HOST}/users/auth/openid_connect/callback` or `https://${GITLAB_HOST}/users/auth/openid_connect/callback` depending on the value of `GITLAB_HTTPS` |
+
+See [GitLab OIDC documentation](https://docs.gitlab.com/ee/administration/auth/oidc.html) and [OmniAuth OpenID Connect documentation](https://github.com/omniauth/omniauth_openid_connect/).
+
 #### Gitlab Pages
 
 Gitlab Pages allows a user to host static websites from a project. Gitlab pages can be enabled with setting the envrionment variable `GITLAB_PAGES_ENABLED` to `true`.

assets/runtime/config/gitlabhq/gitlab.yml

@@ -1031,6 +1031,23 @@ production: &base
             client_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID}}',
             client_secret: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET}}',
             tenant_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}' } }
+      - { name: 'openid_connect',
+          label: '{{OAUTH_OIDC_LABEL}}',
+          icon: '{{OAUTH_OIDC_ICON}}',
+          args: {
+            name: 'openid_connect',
+            scope: {{OAUTH_OIDC_SCOPE}},
+            response_type: '{{OAUTH_OIDC_RESPONSE_TYPE}}',
+            issuer: '{{OAUTH_OIDC_ISSUER}}',
+            discovery: {{OAUTH_OIDC_DISCOVERY}},
+            client_auth_method: '{{OAUTH_OIDC_CLIENT_AUTH_METHOD}}',
+            uid_field: '{{OAUTH_OIDC_UID_FIELD}}',
+            send_scope_to_token_endpoint: {{OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP}},
+            pkce: {{OAUTH_OIDC_PKCE}},
+            client_options: {
+              identifier: '{{OAUTH_OIDC_CLIENT_ID}}',
+              secret: '{{OAUTH_OIDC_CLIENT_SECRET}}',
+              redirect_uri: '{{OAUTH_OIDC_REDIRECT_URI}}' } } }
 
     # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
     # cas3:

assets/runtime/env-defaults

@@ -537,6 +537,28 @@ OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE=${OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE:-}
 OAUTH2_GENERIC_LABEL=${OAUTH2_GENERIC_LABEL:-}
 OAUTH2_GENERIC_NAME=${OAUTH2_GENERIC_NAME:-}
 
+### OpenID Connect
+OAUTH_OIDC_LABEL=${OAUTH_OIDC_LABEL:-'OpenID Connect'}
+OAUTH_OIDC_ICON=${OAUTH_OIDC_ICON:-}
+OAUTH_OIDC_SCOPE=${OAUTH_OIDC_SCOPE:-"['openid','profile','email']"}
+OAUTH_OIDC_RESPONSE_TYPE=${OAUTH_OIDC_RESPONSE_TYPE:-'code'}
+OAUTH_OIDC_ISSUER=${OAUTH_OIDC_ISSUER:-}
+OAUTH_OIDC_DISCOVERY=${OAUTH_OIDC_DISCOVERY:-true}
+OAUTH_OIDC_CLIENT_AUTH_METHOD=${OAUTH_OIDC_CLIENT_AUTH_METHOD:-'basic'}
+OAUTH_OIDC_UID_FIELD=${OAUTH_OIDC_UID_FIELD:-sub}
+OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP=${OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP:-false}
+OAUTH_OIDC_PKCE=${OAUTH_OIDC_PKCE:-true}
+OAUTH_OIDC_CLIENT_ID=${OAUTH_OIDC_CLIENT_ID:-}
+OAUTH_OIDC_CLIENT_SECRET=${OAUTH_OIDC_CLIENT_SECRET:-'secret'}
+case $GITLAB_HTTPS in
+  true)
+    OAUTH_OIDC_REDIRECT_URI=${OAUTH_OIDC_REDIRECT_URI:-https://${GITLAB_HOST}/users/auth/openid_connect/callback}
+    ;;
+  false)
+    OAUTH_OIDC_REDIRECT_URI=${OAUTH_OIDC_REDIRECT_URI:-http://${GITLAB_HOST}/users/auth/openid_connect/callback}
+    ;;
+esac
+
 ## ANALYTICS
 
 ### GOOGLE

assets/runtime/functions

@@ -793,6 +793,30 @@ gitlab_configure_oauth_azure_ad_v2() {
   fi
 }
 
+gitlab_configure_oauth_oidc() {
+  if [[ -n ${OAUTH_OIDC_ISSUER} && \
+        -n ${OAUTH_OIDC_CLIENT_ID} ]]; then
+    echo "Configuring gitlab::oauth::oidc..."
+    OAUTH_ENABLED=${OAUTH_ENABLED:-true}
+    update_template ${GITLAB_CONFIG} \
+      OAUTH_OIDC_LABEL \
+      OAUTH_OIDC_ICON \
+      OAUTH_OIDC_SCOPE \
+      OAUTH_OIDC_RESPONSE_TYPE \
+      OAUTH_OIDC_ISSUER \
+      OAUTH_OIDC_DISCOVERY \
+      OAUTH_OIDC_CLIENT_AUTH_METHOD \
+      OAUTH_OIDC_UID_FIELD \
+      OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP \
+      OAUTH_OIDC_PKCE \
+      OAUTH_OIDC_CLIENT_ID \
+      OAUTH_OIDC_CLIENT_SECRET \
+      OAUTH_OIDC_REDIRECT_URI
+  else
+    exec_as_git sed -i "/name: 'openid_connect'/,/{{OAUTH_OIDC_REDIRECT_URI}}/d" ${GITLAB_CONFIG}
+  fi
+}
+
 gitlab_configure_oauth() {
   echo "Configuring gitlab::oauth..."
 
@@ -810,6 +834,7 @@ gitlab_configure_oauth() {
   gitlab_configure_oauth_auth0
   gitlab_configure_oauth_azure
   gitlab_configure_oauth_azure_ad_v2
+  gitlab_configure_oauth_oidc
 
   OAUTH_ENABLED=${OAUTH_ENABLED:-false}
   update_template ${GITLAB_CONFIG} \
@@ -823,7 +848,7 @@ gitlab_configure_oauth() {
     OAUTH_ALLOW_BYPASS_TWO_FACTOR
 
   case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in
-    cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME)
+    cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME|oidc)
       update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER
       ;;
     *)