diff options
author | Joe Marty <jmarty@iexposure.com> | 2017-02-07 14:43:08 -0600 |
---|---|---|
committer | Joe Marty <jmarty@iexposure.com> | 2017-02-13 12:54:57 -0600 |
commit | 93d4234efa43dea4165a8b0b87c51eb7d6131f28 (patch) | |
tree | 3428a3a70d9a687822a878feb79818c287b94885 | |
parent | 49e44d88b90939ece219e2cffc11119854306bd9 (diff) | |
download | gitlab-ce-93d4234efa43dea4165a8b0b87c51eb7d6131f28.tar.gz |
Add omniauth-oauth2-generic strategy
- Allows configurable Single Sign On with most simple OAuth2 providers
- Adds documentation for the new strategy
Closes #26744
-rw-r--r-- | Gemfile | 1 | ||||
-rw-r--r-- | Gemfile.lock | 3 | ||||
-rw-r--r-- | doc/integration/oauth2_generic.md | 60 | ||||
-rw-r--r-- | doc/integration/omniauth.md | 1 |
4 files changed, 65 insertions, 0 deletions
@@ -29,6 +29,7 @@ gem 'omniauth-github', '~> 1.1.1' gem 'omniauth-gitlab', '~> 1.0.2' gem 'omniauth-google-oauth2', '~> 0.4.1' gem 'omniauth-kerberos', '~> 0.3.0', group: :kerberos +gem 'omniauth-oauth2-generic', '~> 0.2.2' gem 'omniauth-saml', '~> 1.7.0' gem 'omniauth-shibboleth', '~> 1.2.0' gem 'omniauth-twitter', '~> 1.2.0' diff --git a/Gemfile.lock b/Gemfile.lock index 235426afa49..a3c2fad41ba 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -483,6 +483,8 @@ GEM omniauth-oauth2 (1.3.1) oauth2 (~> 1.0) omniauth (~> 1.2) + omniauth-oauth2-generic (0.2.2) + omniauth-oauth2 (~> 1.0) omniauth-saml (1.7.0) omniauth (~> 1.3) ruby-saml (~> 1.4) @@ -931,6 +933,7 @@ DEPENDENCIES omniauth-gitlab (~> 1.0.2) omniauth-google-oauth2 (~> 0.4.1) omniauth-kerberos (~> 0.3.0) + omniauth-oauth2-generic (~> 0.2.2) omniauth-saml (~> 1.7.0) omniauth-shibboleth (~> 1.2.0) omniauth-twitter (~> 1.2.0) diff --git a/doc/integration/oauth2_generic.md b/doc/integration/oauth2_generic.md new file mode 100644 index 00000000000..3953df18d85 --- /dev/null +++ b/doc/integration/oauth2_generic.md @@ -0,0 +1,60 @@ +# Sign into Gitlab with (almost) any OAuth2 provider + +The `omniauth-oauth2-generic` gem allows Single Sign On between Gitlab and your own OAuth2 provider (or any simple OAuth2 provider compatible with this gem) + +This strategy is designed to allow configuration of the simple OmniAuth SSO process outlined below: + +1. Strategy directs client to your authorization URL (**configurable**), with specified ID and key +1. OAuth provider handles authentication of request, user, and (optionally) authorization to access user's profile +1. OAuth provider directs client back to Gitlab where Strategy handles retrieval of access token +1. Strategy requests user information from a **configurable** "user profile" URL (using the access token) +1. Strategy parses user information from the response, using a **configurable** format +1. Gitlab finds or creates the returned user and logs them in + +**Limitations of this Strategy:** + +- It can only be used for Single Sign on, and will not provide any other access granted by any OAuth provider (such as importing projects or users, etc). +- It only supports the Authorization Grant flow (most common for client-server applications, like Gitlab) +- It is not able to fetch user information from more than one URL +- It has not been tested with user information formats other than JSON + +### Config Instructions +1. To enable the OAuth2 generic strategy you must register your application in the OAuth2 provider you wish to authenticate with. + That provider should generate an ID and secret key for you to use with this strategy. + + The redirect URI you provide when registering the application should be: + + ``` + http://your-gitlab.host.com/users/auth/oauth2_generic/callback + ``` + +1. You should now be able to get a Client ID and Client Secret. Where this shows up will differ for each provider. + This may also be called Application ID and Secret. + +1. On your GitLab server, open the configuration file. + + For omnibus package: + + ```sh + sudo editor /etc/gitlab/gitlab.rb + ``` + + For installations from source: + + ```sh + cd /home/git/gitlab + + sudo -u git -H editor config/gitlab.yml + ``` + +1. See [Initial OmniAuth Configuration](omniauth.md#initial-omniauth-configuration) for initial settings. + +1. Add the provider-specific configuration for your provider, as [described in the gem's README](https://gitlab.com/satorix/omniauth-oauth2-generic#gitlab-config-example) + +1. Save the configuration file. + +1. Restart GitLab for the changes to take effect. + +On the sign in page there should now be a new button below the regular sign in form. +Click the button to begin your provider's authentication process. This will direct the browser to your OAuth2 Provider's authentication page. +If everything goes well the user will be returned to your GitLab instance and will be signed in. diff --git a/doc/integration/omniauth.md b/doc/integration/omniauth.md index 98a680d0dbe..47e20d7566a 100644 --- a/doc/integration/omniauth.md +++ b/doc/integration/omniauth.md @@ -31,6 +31,7 @@ contains some settings that are common for all providers. - [Azure](azure.md) - [Auth0](auth0.md) - [Authentiq](../administration/auth/authentiq.md) +- [OAuth2Generic](oauth2_generic.md) ## Initial OmniAuth Configuration |