Skip to content

Bump gitlab-omniauth-openid-connect to v0.8.0

Stan Hu requested to merge sh-openid-connect-hs256 into master

This fixes issues with HS256-signed JWTs: https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect/-/issues/1

Diff: https://my.diffend.io/gems/gitlab-omniauth-openid-connect/0.4.0/0.8.0

Documentation: !66333 (merged)

Testing

  • Azure OpenID Provider (RS256)
  • Keycloak OpenID with RS256
  • Keycloak OpenID with HS256

Keycloak setup

This is a bit of a pain because one of the OpenID libraries only supports HTTPS, so we need to put NGINX in front. I hacked my Omnibus install to do this.

  1. Download docker-compose script: https://github.com/keycloak/keycloak-containers/blob/master/docker-compose-examples/keycloak-postgres.yml
  2. Modify ports accordingly (I remapped 8080:8000 -> 9999:8080).
  3. Run docker-compose -f keycloak-postgres.yml up
  4. Load http://localhost:9999.
  5. Create a user: Manage -> Users -> Create user. Set username and password to something (e.g. myuser and password).
  6. Create a client: Configure -> Clients -> Create. Set gitlab for Client ID.
  7. Configure gitlab client: Click on gitlab -> Settings -> Access Type, set to Confidential:

image

  1. In Realm Settings -> General, set Frontend URL to https://gitlab.example.com/keycloak/auth.
  2. In Realm Settings -> Tokens, set the default algorithm to HS256 or RS256 (depending on test case).
  3. Retrieve the client secret by entering PostgreSQL container:
# docker exec -it b466bfcba2cf bash # Use image from `docker ps`
root@b466bfcba2cf:/# psql -U keycloak
psql (13.3 (Debian 13.3-1.pgdg100+1))
Type "help" for help.

keycloak=# SELECT value FROM component_config CC INNER JOIN component C ON(CC.component_id = C.id) WHERE C.realm_id = 'master' and provider_id = 'hmac-generated' AND CC.name = 'secret';
                                         value
----------------------------------------------------------------------------------------
 MnHoiYfMwuKLE34p72uFut_P2g5sIfz7RbxhFsuUOi6qI9_8U2ZBXlp8dUwG2KXnc7HOxg4MolIjPhP2RxpOzw
(1 row)

See !66333 (merged) for converting this into a standard base64 value.

  1. Configure OpenID in /etc/gitlab/gitlab.rb:
gitlab_rails['omniauth_providers'] = [
 {
   'name' => 'openid_connect',
   'label' => 'Keycloak',
   'args' => {
     'name' => 'openid_connect',
     'strategy_class': 'OmniAuth::Strategies::OpenIDConnect',
     'scope' => ['openid', 'profile', 'email'],
     'response_type' => 'code',
     'issuer' =>  'https://gitlab.example.com/keycloak/auth/realms/master',
     'client_auth_method' => 'query',
     'discovery' => true,
     'uid_field' => 'preferred_username',
     'jwt_secret_base64' => "<JWT SECRET FROM PREVIOUS STEP>",
     'client_options' => {
       'identifier' => 'gitlab',
       'secret' => '<CLIENT SECRET>',
       'redirect_uri' => 'https://gitlab.example.com/users/auth/openid_connect/callback'
     }
   }
 }
  1. Run gitlab-ctl reconfigure.
  2. The OpenID gem needs to use HTTPS. In /var/opt/gitlab/nginx/conf/gitlab-http.conf, I hacked the config:
# These needed to avoid 502 errors due to large headers
proxy_buffer_size   128k; 
proxy_buffers   4 256k;
proxy_busy_buffers_size   256k;

location /keycloak/ {
  proxy_pass http://localhost:9999/;
}
  1. gitlab-ctl restart nginx
Edited by Stan Hu

Merge request reports