Added Omniauth OpenId Connect startegy

5 files changed, 118 insertions, 5 deletions

diff --git a/Gemfile b/Gemfile
index e075e2478a8..efdb5e5210f 100644
--- a/Gemfile
+++ b/Gemfile
@@ -41,8 +41,9 @@ gem 'omniauth-shibboleth', '~> 1.3.0'
 gem 'omniauth-twitter', '~> 1.4'
 gem 'omniauth_crowd', '~> 2.2.0'
 gem 'omniauth-authentiq', '~> 0.3.3'
+gem 'omniauth_openid_connect', '~> 0.3.0'
+gem "omniauth-ultraauth", '~> 0.0.2'
 gem 'rack-oauth2', '~> 1.9.3'
-gem "omniauth-ultraauth", '~> 0.0.1'
 gem 'jwt', '~> 2.1.0'
 
 # Spam and anti-bot protection
diff --git a/Gemfile.lock b/Gemfile.lock
index c5ad2357434..4f5f018cf82 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -559,13 +559,13 @@ GEM
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
       rack
-    omniauth-ultraauth (0.0.1)
-      omniauth_openid_connect (~> 0.2.4)
+    omniauth-ultraauth (0.0.2)
+      omniauth_openid_connect (~> 0.3.0)
     omniauth_crowd (2.2.3)
       activesupport
       nokogiri (>= 1.4.4)
       omniauth (~> 1.0)
-    omniauth_openid_connect (0.2.4)
+    omniauth_openid_connect (0.3.0)
       addressable (~> 2.5)
       omniauth (~> 1.3)
       openid_connect (~> 1.1)
@@ -1124,8 +1124,9 @@ DEPENDENCIES
   omniauth-saml (~> 1.10)
   omniauth-shibboleth (~> 1.3.0)
   omniauth-twitter (~> 1.4)
-  omniauth-ultraauth (~> 0.0.1)
+  omniauth-ultraauth (~> 0.0.2)
   omniauth_crowd (~> 2.2.0)
+  omniauth_openid_connect (~> 0.3.0)
   org-ruby (~> 0.9.12)
   peek (~> 1.0.1)
   peek-gc (~> 0.0.2)
diff --git a/changelogs/unreleased/27383-added_omniauth_openid_connect_startegy.yml b/changelogs/unreleased/27383-added_omniauth_openid_connect_startegy.yml
new file mode 100644
index 00000000000..c49b201f0de
--- /dev/null
+++ b/changelogs/unreleased/27383-added_omniauth_openid_connect_startegy.yml
@@ -0,0 +1,5 @@
+---
+title: Added OmniAuth OpenID Connect strategy
+merge_request: 27383
+author: Horatiu Eugen Vlad
+type: added
diff --git a/doc/administration/auth/oidc.md b/doc/administration/auth/oidc.md
new file mode 100644
index 00000000000..e55f7dbb4df
--- /dev/null
+++ b/doc/administration/auth/oidc.md
@@ -0,0 +1,105 @@
+# OpenID Connect OmniAuth provider
+
+GitLab can use [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) as an OmniAuth provider.
+
+To enable the OpenID Connect OmniAuth provider, you must register your application with an OpenID Connect provider.
+The OpenID Connect will provide you with a client details and secret for you to use.
+
+1.  On your GitLab server, open the configuration file.
+
+    For Omnibus GitLab:
+
+    ```sh
+    sudo editor /etc/gitlab/gitlab.rb
+    ```
+
+    For installations from source:
+
+    ```sh
+    cd /home/git/gitlab
+    sudo -u git -H editor config/gitlab.yml
+    ```
+
+    See [Initial OmniAuth Configuration](../../integration/omniauth.md#initial-omniauth-configuration) for initial settings.
+
+1.  Add the provider configuration.
+
+    For Omnibus GitLab:
+
+    ```ruby
+    gitlab_rails['omniauth_providers'] = [
+      { 'name' => 'openid_connect',
+        'label' => '<your_oidc_label>',
+        'args' => {
+          'scope' => ['openid','profile'],
+          'response_type' => 'code',
+          'issuer' => '<your_oidc_url>',
+          'discovery' => true,
+          'client_auth_method' => 'query',
+          'uid_field' => '<uid_field>',
+          'client_options' => {
+            'identifier' => '<your_oidc_client_id>',
+            'secret' => '<your_oidc_client_secret>',
+            'redirect_uri' => '<your_gitlab_url>/users/auth/openid_connect/callback'
+          }
+        }
+      }
+    ]
+    ```
+
+    For installation from source:
+
+    ```yaml
+      - { name: 'openid_connect',
+          label: '<your_oidc_label>',
+          args: {
+            scope: ['openid','profile'],
+            response_type: 'code',
+            issuer: '<your_oidc_url>',
+            discovery: true,
+            client_auth_method: 'query',
+            uid_field: '<uid_field>',
+            client_options: {
+              identifier: '<your_oidc_client_id>',
+              secret: '<your_oidc_client_secret>',
+              redirect_uri: '<your_gitlab_url>/users/auth/openid_connect/callback'
+            }
+          }
+        }
+    ```
+
+    > **Note:**
+    >
+    > - For more information on each configuration option refer to
+        the [OmniAuth OpenID Connect usage documentation](https://github.com/m0n9oose/omniauth_openid_connect#usage) and
+        the [OpenID Connect Core 1.0 specification](https://openid.net/specs/openid-connect-core-1_0.html).
+
+1. For the configuration above, change the values for the provider to match your OpenID Connect client setup. Use the following as a guide:
+    - `<your_oidc_label>` is the label that will be displayed on the login page.
+    - `<your_oidc_url>` (optional) is the URL that points to the OpenID Connect provider. For example, `https://example.com/auth/realms/your-realm`.
+      If this value is not provided, the URL is constructed from the `client_options` in the following format: `<client_options.scheme>://<client_options.host>:<client_options.port>`.
+    - If `discovery` is set to `true`, the OpenID Connect provider will try to auto discover the client options using `<your_oidc_url>/.well-known/openid-configuration`. Defaults to `false`.
+    - `<uid_field>` (optional) is the field name from the `user_info` details that will be used as `uid` value. For example, `preferred_username`.
+      If this value is not provided or the field with the configured value is missing from the `user_info` details, the `uid` will use the `sub` field.
+    - `client_options` are the OpenID Connect client-specific options. Specifically:
+
+      - `identifier` is the client identifier as configured in the OpenID Connect service provider.
+      - `secret` is the client secret as configured in the OpenID Connect service provider.
+      - `redirect_uri` is the GitLab URL to redirect the user to after successful login. For example, `http://example.com/users/auth/openid_connect/callback`.
+      - `end_session_endpoint` (optional) is the URL to the endpoint that end the session (logout). Can be provided if auto-discovery disabled or unsuccessful.
+
+      The following `client_options` are optional unless auto-discovery is disabled or unsuccessful:
+
+        - `authorization_endpoint` is the URL to the endpoint that authorizes the end user.
+        - `token_endpoint` is the URL to the endpoint that provides Access Token.
+        - `userinfo_endpoint` is the URL to the endpoint that provides the user information.
+        - `jwks_uri` is the URL to the endpoint where the Token signer publishes its keys.
+
+1.  Save the configuration file.
+1.  [Reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure) or [restart GitLab](../restart_gitlab.md#installations-from-source)
+    for the changes to take effect if you installed GitLab via Omnibus or from source respectively.
+
+On the sign in page, there should now be an OpenID Connect icon below the regular sign in form.
+Click the icon to begin the authentication process. The OpenID Connect provider will ask the user to
+sign in and authorize the GitLab application (if confirmation required by the client). If everything goes well, the user
+will be redirected to GitLab and will be signed in.
diff --git a/doc/integration/omniauth.md b/doc/integration/omniauth.md
index 7fd39b02fbe..ef1f2df77f8 100644
--- a/doc/integration/omniauth.md
+++ b/doc/integration/omniauth.md
@@ -33,6 +33,7 @@ contains some settings that are common for all providers.
 - [Authentiq](../administration/auth/authentiq.md)
 - [OAuth2Generic](oauth2_generic.md)
 - [JWT](../administration/auth/jwt.md)
+- [OpenID Connect](../administration/auth/oidc.md)
 - [UltraAuth](ultra_auth.md)
 
 ## Initial OmniAuth Configuration