From f30613b19229c96f959c69204420a699ee0d67a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moln=C3=A1r=20P=C3=A9ter?= Date: Tue, 18 Jun 2024 21:37:37 +0200 Subject: [PATCH 1/3] Add support for Omniauth OpenID Connect login. --- README.md | 25 +++++++++++++++++++++ assets/runtime/config/gitlabhq/gitlab.yml | 17 ++++++++++++++ assets/runtime/env-defaults | 22 ++++++++++++++++++ assets/runtime/functions | 27 ++++++++++++++++++++++- 4 files changed, 90 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f46aa79d..a8e871a1 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ - [Crowd](#crowd) - [Microsoft Azure](#microsoft-azure) - [Generic OAuth2](#Generic-OAuth2) + - [OpenID Connect](#OpenID-Connect) - [Gitlab Pages](#gitlab-pages) - [External Issue Trackers](#external-issue-trackers) - [Host UID / GID Mapping](#host-uid--gid-mapping) @@ -725,6 +726,30 @@ As an example this code has been tested with Keycloak, with the following variab See [GitLab documentation](https://docs.gitlab.com/ee/integration/oauth2_generic.html#sign-into-gitlab-with-almost-any-oauth2-provider) and [Omniauth-oauth2-generic documentation](https://gitlab.com/satorix/omniauth-oauth2-generic) for more details. +##### OpenID Connect + +To enable OpenID Connect provider, you must register your application with your provider. You also need to confirm OpenID Connect provider app's ID and secret, the client options and the user's response structure. + +To use OIDC set at least `OAUTH_OIDC_ISSUER` and `OAUTH_OIDC_CLIENT_ID`. + +| GitLab setting | environment variable | +|----------------|----------------------| +| `label` | `OAUTH_OIDC_LABEL` | +| `icon` | `OAUTH_OIDC_ICON` | +| `scope`| `OAUTH_OIDC_SCOPE` | +| `response_type` | `OAUTH_OIDC_RESPONSE_TYPE` | +| `issuer` | `OAUTH_OIDC_ISSUER` | +| `discovery` | `OAUTH_OIDC_DISCOVERY` | +| `client_auth_method` | `OAUTH_OIDC_CLIENT_AUTH_METHOD` | +| `uid_field` | `OAUTH_OIDC_UID_FIELD` | +| `send_scope_to_token_endpoint` | `OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP` | +| `pkce` | `OAUTH_OIDC_PKCE` | +| `client_options.identifier` | `OAUTH_OIDC_CLIENT_ID` | +| `client_options.secret` | `OAUTH_OIDC_CLIENT_SECRET` | +| `client_options.redirect_uri` | `OAUTH_OIDC_REDIRECT_URI` | + +See [GitLab OIDC documentation](https://docs.gitlab.com/ee/administration/auth/oidc.html) and [OmniAuth OpenID Connect documentation](https://github.com/omniauth/omniauth_openid_connect/). + #### Gitlab Pages Gitlab Pages allows a user to host static websites from a project. Gitlab pages can be enabled with setting the envrionment variable `GITLAB_PAGES_ENABLED` to `true`. diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index 226ced2e..f828dd6f 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1031,6 +1031,23 @@ production: &base client_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_ID}}', client_secret: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_CLIENT_SECRET}}', tenant_id: '{{OAUTH_AZURE_ACTIVEDIRECTORY_V2_TENANT_ID}}' } } + - { name: 'openid_connect', + label: '{{OAUTH_OIDC_LABEL}}', + icon: '{{OAUTH_OIDC_ICON}}', + args: { + name: 'openid_connect', + scope: {{OAUTH_OIDC_SCOPE}}, + response_type: '{{OAUTH_OIDC_RESPONSE_TYPE}}', + issuer: '{{OAUTH_OIDC_ISSUER}}', + discovery: {{OAUTH_OIDC_DISCOVERY}}, + client_auth_method: '{{OAUTH_OIDC_CLIENT_AUTH_METHOD}}', + uid_field: '{{OAUTH_OIDC_UID_FIELD}}', + send_scope_to_token_endpoint: {{OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP}}, + pkce: {{OAUTH_OIDC_PKCE}}, + client_options: { + identifier: '{{OAUTH_OIDC_CLIENT_ID}}', + secret: '{{OAUTH_OIDC_CLIENT_SECRET}}', + redirect_uri: '{{OAUTH_OIDC_REDIRECT_URI}}' } } } # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours. # cas3: diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 2484a142..8b2e256b 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -537,6 +537,28 @@ OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE=${OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE:-} OAUTH2_GENERIC_LABEL=${OAUTH2_GENERIC_LABEL:-} OAUTH2_GENERIC_NAME=${OAUTH2_GENERIC_NAME:-} +### OpenID Connect +OAUTH_OIDC_LABEL=${OAUTH_OIDC_LABEL:-'OpenID Connect'} +OAUTH_OIDC_ICON=${OAUTH_OIDC_ICON:-} +OAUTH_OIDC_SCOPE=${OAUTH_OIDC_SCOPE:-"['openid','profile','email']"} +OAUTH_OIDC_RESPONSE_TYPE=${OAUTH_OIDC_RESPONSE_TYPE:-'code'} +OAUTH_OIDC_ISSUER=${OAUTH_OIDC_ISSUER:-} +OAUTH_OIDC_DISCOVERY=${OAUTH_OIDC_DISCOVERY:-true} +OAUTH_OIDC_CLIENT_AUTH_METHOD=${OAUTH_OIDC_CLIENT_AUTH_METHOD:-'query'} +OAUTH_OIDC_UID_FIELD=${OAUTH_OIDC_UID_FIELD:-sub} +OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP=${OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP:-false} +OAUTH_OIDC_PKCE=${OAUTH_OIDC_PKCE:-true} +OAUTH_OIDC_CLIENT_ID=${OAUTH_OIDC_CLIENT_ID:-} +OAUTH_OIDC_CLIENT_SECRET=${OAUTH_OIDC_CLIENT_SECRET:-'secret'} +case $GITLAB_HTTPS in + true) + OAUTH_OIDC_REDIRECT_URI=${OAUTH_OIDC_REDIRECT_URI:-https://${GITLAB_HOST}/users/auth/openid_connect/callback} + ;; + false) + OAUTH_OIDC_REDIRECT_URI=${OAUTH_OIDC_REDIRECT_URI:-http://${GITLAB_HOST}/users/auth/openid_connect/callback} + ;; +esac + ## ANALYTICS ### GOOGLE diff --git a/assets/runtime/functions b/assets/runtime/functions index 5a24e9bc..b23d6f46 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -793,6 +793,30 @@ gitlab_configure_oauth_azure_ad_v2() { fi } +gitlab_configure_oauth_oidc() { + if [[ -n ${OAUTH_OIDC_ISSUER} && \ + -n ${OAUTH_OIDC_CLIENT_ID} ]]; then + echo "Configuring gitlab::oauth::oidc..." + OAUTH_ENABLED=${OAUTH_ENABLED:-true} + update_template ${GITLAB_CONFIG} \ + OAUTH_OIDC_LABEL \ + OAUTH_OIDC_ICON \ + OAUTH_OIDC_SCOPE \ + OAUTH_OIDC_RESPONSE_TYPE \ + OAUTH_OIDC_ISSUER \ + OAUTH_OIDC_DISCOVERY \ + OAUTH_OIDC_CLIENT_AUTH_METHOD \ + OAUTH_OIDC_UID_FIELD \ + OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP \ + OAUTH_OIDC_PKCE \ + OAUTH_OIDC_CLIENT_ID \ + OAUTH_OIDC_CLIENT_SECRET \ + OAUTH_OIDC_REDIRECT_URI + else + exec_as_git sed -i "/name: 'openid_connect'/,/{{OAUTH_OIDC_REDIRECT_URI}}/d" ${GITLAB_CONFIG} + fi +} + gitlab_configure_oauth() { echo "Configuring gitlab::oauth..." @@ -810,6 +834,7 @@ gitlab_configure_oauth() { gitlab_configure_oauth_auth0 gitlab_configure_oauth_azure gitlab_configure_oauth_azure_ad_v2 + gitlab_configure_oauth_oidc OAUTH_ENABLED=${OAUTH_ENABLED:-false} update_template ${GITLAB_CONFIG} \ @@ -823,7 +848,7 @@ gitlab_configure_oauth() { OAUTH_ALLOW_BYPASS_TWO_FACTOR case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in - cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME) + cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME|oidc) update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER ;; *) From de8d0d52a9749f83c42115f2b71f2a9bbc0604b3 Mon Sep 17 00:00:00 2001 From: molnarpe Date: Wed, 19 Jun 2024 15:25:46 +0200 Subject: [PATCH 2/3] Update env-defaults Value for client_auth_method is 'query' in the example, but default value is 'basic' as described in [GitLab OmniAuth OIDC documentation, step 4.](https://docs.gitlab.com/ee/administration/auth/oidc.html). --- assets/runtime/env-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 8b2e256b..7c6de6d9 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -544,7 +544,7 @@ OAUTH_OIDC_SCOPE=${OAUTH_OIDC_SCOPE:-"['openid','profile','email']"} OAUTH_OIDC_RESPONSE_TYPE=${OAUTH_OIDC_RESPONSE_TYPE:-'code'} OAUTH_OIDC_ISSUER=${OAUTH_OIDC_ISSUER:-} OAUTH_OIDC_DISCOVERY=${OAUTH_OIDC_DISCOVERY:-true} -OAUTH_OIDC_CLIENT_AUTH_METHOD=${OAUTH_OIDC_CLIENT_AUTH_METHOD:-'query'} +OAUTH_OIDC_CLIENT_AUTH_METHOD=${OAUTH_OIDC_CLIENT_AUTH_METHOD:-'basic'} OAUTH_OIDC_UID_FIELD=${OAUTH_OIDC_UID_FIELD:-sub} OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP=${OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP:-false} OAUTH_OIDC_PKCE=${OAUTH_OIDC_PKCE:-true} From 8b477f07c15d6cebcd383bef70ed4737f039a6d2 Mon Sep 17 00:00:00 2001 From: molnarpe Date: Sun, 23 Jun 2024 07:02:15 +0200 Subject: [PATCH 3/3] Default values for OmniAuth OpenID Connect environment variables are now listed in README.md. --- README.md | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index a8e871a1..0d4f5af3 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ - [Crowd](#crowd) - [Microsoft Azure](#microsoft-azure) - [Generic OAuth2](#Generic-OAuth2) - - [OpenID Connect](#OpenID-Connect) + - [OpenID Connect](#openid-connect) - [Gitlab Pages](#gitlab-pages) - [External Issue Trackers](#external-issue-trackers) - [Host UID / GID Mapping](#host-uid--gid-mapping) @@ -732,21 +732,21 @@ To enable OpenID Connect provider, you must register your application with your To use OIDC set at least `OAUTH_OIDC_ISSUER` and `OAUTH_OIDC_CLIENT_ID`. -| GitLab setting | environment variable | -|----------------|----------------------| -| `label` | `OAUTH_OIDC_LABEL` | -| `icon` | `OAUTH_OIDC_ICON` | -| `scope`| `OAUTH_OIDC_SCOPE` | -| `response_type` | `OAUTH_OIDC_RESPONSE_TYPE` | -| `issuer` | `OAUTH_OIDC_ISSUER` | -| `discovery` | `OAUTH_OIDC_DISCOVERY` | -| `client_auth_method` | `OAUTH_OIDC_CLIENT_AUTH_METHOD` | -| `uid_field` | `OAUTH_OIDC_UID_FIELD` | -| `send_scope_to_token_endpoint` | `OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP` | -| `pkce` | `OAUTH_OIDC_PKCE` | -| `client_options.identifier` | `OAUTH_OIDC_CLIENT_ID` | -| `client_options.secret` | `OAUTH_OIDC_CLIENT_SECRET` | -| `client_options.redirect_uri` | `OAUTH_OIDC_REDIRECT_URI` | +| GitLab setting | environment variable | default value | +|--------------------------------|-------------------------------------|--------------------------------| +| `label` | `OAUTH_OIDC_LABEL` | `OpenID Connect` | +| `icon` | `OAUTH_OIDC_ICON` | | +| `scope` | `OAUTH_OIDC_SCOPE` | `['openid','profile','email']` | +| `response_type` | `OAUTH_OIDC_RESPONSE_TYPE` | `code` | +| `issuer` | `OAUTH_OIDC_ISSUER` | | +| `discovery` | `OAUTH_OIDC_DISCOVERY` | `true` | +| `client_auth_method` | `OAUTH_OIDC_CLIENT_AUTH_METHOD` | `basic` | +| `uid_field` | `OAUTH_OIDC_UID_FIELD` | `sub` | +| `send_scope_to_token_endpoint` | `OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP` | `false` | +| `pkce` | `OAUTH_OIDC_PKCE` | `true` | +| `client_options.identifier` | `OAUTH_OIDC_CLIENT_ID` | | +| `client_options.secret` | `OAUTH_OIDC_CLIENT_SECRET` | `secret` | +| `client_options.redirect_uri` | `OAUTH_OIDC_REDIRECT_URI` | `http://${GITLAB_HOST}/users/auth/openid_connect/callback` or `https://${GITLAB_HOST}/users/auth/openid_connect/callback` depending on the value of `GITLAB_HTTPS` | See [GitLab OIDC documentation](https://docs.gitlab.com/ee/administration/auth/oidc.html) and [OmniAuth OpenID Connect documentation](https://github.com/omniauth/omniauth_openid_connect/).