Skip to content

Allow omniauth username claim to be configurable

Thomas Mendoza requested to merge tgmachina/gitlab:feature/configurable-auth-hash-username into master

What does this MR do and why?

This MR allows administrators to specify a custom claim from a provider's auth_hash to use as the username in GitLab.

This allows self-hosted instances to handle auth_hash mappings outside of their control (i.e. from external identity providers or omniauth providers). For example, GitLab's OpenID Connect provider exposes a subset of data in info and remaps others. If the desired username is returned in a field outside of that set, like in sub, there's no way to retrieve the correct username.

This is not to be confused with the configurable uid_field mentioned in the docs:

<uid_field> (optional) is the field name from the user_info.raw_attributes that defines the value for uid. For example, preferred_username. If this value is not provided or the field with the configured value is missing from the user_info.raw_attributes details, the uid uses the sub field.

This option affects the user's extern_uid.

Screenshots or screen recordings

Here's a sample where I changed my username to my gitlab.com uid:

modified_username

How to set up and validate locally

With gdk and this MR checked out:

  1. Create an application on gitlab.com to use as an authentication provider (using read_user scope for minimal access)
  2. Modify the config/gitlab.yml for gitlab in your gdk setup with the application credentials from step 1 and the following args:
development:                                                                    
  <<: *base                                                                         
  omniauth:                                                                         
    block_auto_created_users: false                                                 
    allow_single_sign_on: ['gitlab']                                            
    providers:                                                                  
    - { name: 'gitlab',                                                         
        app_id: 'APP_ID',
        app_secret: 'APP_SECRET',
        args: { gitlab_username_claim: 'uid', scope: 'read_user' } } # using uid as it is available and not generally used
  1. Run gdk open and click sign-in with GitLab button
  2. After signing in, click the user avatar in the top-right corner, the username should now be your uid (instead of the same name on gitlab.com, see screenshot).

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Thomas Mendoza

Merge request reports