Pass gl_auth_type as part of devise OmniAuth flow
What does this MR do and why?
This addresses https://gitlab.com/gitlab-org/gitlab/-/issues/337663 by reducing
the API scope to read_user
if we detect that the authorization
flow was initiated as part of a login.
Screenshots or screen recordings
How to set up and validate locally
To validate this change, you need two running GitLab instances, both on this branch.
One (a) must be accessible to the other (if not necessarily publically acessible). The other (b) may be entirely behind a firewall. We shall call these two instances:
a. The public authenticator
b. The private delegator
We recommend running the public authenticator using GitPod, which makes setting up a
publically available instance easy. Simply click on Open in GitPod
in the MR information box.
The other instance can be anywhere else - a local GDK/GCK instance is fine, but you could equally have another GitPod instance if you want.
Both instances must be on this branch.
On the public authenticator:
- As any user, log in
- Click on
AVATAR -> edit profile
- In the LHS menu, click
applications
- Add a new application, with the following settings below, and click
save
- Copy the
app_id
andapp_secret
for this newly created application for use in setting up the private delegator. - Prepare a user to log-in as using OmniAuth. this does not need to be the same as the user that created the application It helps if this user has a unique username and email address, so that we can be sure when we do log in that the information came from this server. You can create this user in the admin panel.
- Enable the feature-flag in the Rails console:
Feature.enable(:omniauth_login_minimal_scopes)
Application settings:
Name: ANY_NAME
Redirect URI: http://${private-delegator-IP}:${private-delegator-PORT}/users/auth/gitlab/callback
Confidential: NO
Scopes: api (see below)
For scopes, you can leave these boxes unticked, or you can select any combination of:
api
read_api
read_user
NB: it is very important that you enter the resolved IP address here (not localhost
!).
Use ifconfig
or similar to determine the real local IP address of your private delegator instance. Although if you use a custom hostname in your gdk.yml
you need to use that instead.
See https://docs.gitlab.com/ee/integration/gitlab.html for details
On the private delegator:
- Configure the OmniAuth provider list. See your distribution for how to do this.
In the GCK, you can add a section like the following to your gck.yml
file:
gitlab.yml: # merge with `gitlab-rails/config/gitlab.yml`
development:
omniauth:
allow_single_sign_on:
- gitlab
block_auto_created_users: false
providers:
- name: gitlab
app_id: '${app_id from application on public authenticator}'
app_secret: '${app_secret from application on public authenticator}'
args:
scope: 'api'
client_options: { site: "https://${host-address-of-public-authenticator}/api/v4" }
In GDK, you can add the same in $GDK/gitlab/config/gitlab.yml
under the development.omniauth
key.
Verification steps:
- Sign out of both instances
- Restart/rebuild the private delegator as needed to ensure the configuration is correctly picked up
(this can be confirmed in the rails console, by reading the values of
Gitlab.config.omniauth
. - Visit the private delegator. You should see a login page with a
Sign in with [GitLab.com]
button. - Click the
[GitLab.com]
button - See that you need to login on the public authenticator.
- Once logged in, you should see a form asking you to approve of the authorization. The abilities
should be listed as
Read personal information
- Accept the authorization
- See that you are redirected back to the private delegator, and that a new account has been created for this user.
- In the public authenticator instance, inspect the database to see the created token. You can
can run the query:
select * from oauth_access_tokens
. The new token should have theread_user
scope.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.