Added support for Authentiq oauth provider

10 files changed, 91 insertions, 3 deletions

diff --git a/Gemfile b/Gemfile
index bea31b53b1c..dc28b4fdd9b 100644
--- a/Gemfile
+++ b/Gemfile
@@ -32,6 +32,7 @@ gem 'omniauth-saml',          '~> 1.7.0'
 gem 'omniauth-shibboleth',    '~> 1.2.0'
 gem 'omniauth-twitter',       '~> 1.2.0'
 gem 'omniauth_crowd',         '~> 2.2.0'
+gem 'omniauth-authentiq',     '~> 0.2.0'
 gem 'rack-oauth2',            '~> 1.2.1'
 gem 'jwt'
 
diff --git a/Gemfile.lock b/Gemfile.lock
index 811adfc5c1d..e0266d8fdc0 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -428,6 +428,8 @@ GEM
       rack (>= 1.0, < 3)
     omniauth-auth0 (1.4.1)
       omniauth-oauth2 (~> 1.1)
+    omniauth-authentiq (0.2.2)
+      omniauth-oauth2 (~> 1.3, >= 1.3.1)
     omniauth-azure-oauth2 (0.0.6)
       jwt (~> 1.0)
       omniauth (~> 1.0)
@@ -897,6 +899,7 @@ DEPENDENCIES
   oj (~> 2.17.4)
   omniauth (~> 1.3.1)
   omniauth-auth0 (~> 1.4.1)
+  omniauth-authentiq (~> 0.2.0)
   omniauth-azure-oauth2 (~> 0.0.6)
   omniauth-cas3 (~> 1.1.2)
   omniauth-facebook (~> 4.0.0)
diff --git a/app/assets/images/auth_buttons/authentiq_64.png b/app/assets/images/auth_buttons/authentiq_64.png
new file mode 100644
index 00000000000..81767bbcc54
--- /dev/null
+++ b/app/assets/images/auth_buttons/authentiq_64.png
diff --git a/app/helpers/auth_helper.rb b/app/helpers/auth_helper.rb
index 92bac149313..1ee6c1d3afa 100644
--- a/app/helpers/auth_helper.rb
+++ b/app/helpers/auth_helper.rb
@@ -1,5 +1,5 @@
 module AuthHelper
-  PROVIDERS_WITH_ICONS = %w(twitter github gitlab bitbucket google_oauth2 facebook azure_oauth2).freeze
+  PROVIDERS_WITH_ICONS = %w(twitter github gitlab bitbucket google_oauth2 facebook azure_oauth2 authentiq).freeze
   FORM_BASED_PROVIDERS = [/\Aldap/, 'crowd'].freeze
 
   def ldap_enabled?
diff --git a/changelogs/unreleased/8038-authentiq-id-oauth-support.yml b/changelogs/unreleased/8038-authentiq-id-oauth-support.yml
new file mode 100644
index 00000000000..36f8ac9c840
--- /dev/null
+++ b/changelogs/unreleased/8038-authentiq-id-oauth-support.yml
@@ -0,0 +1,4 @@
+---
+title: Add Authentiq as Oauth provider
+merge_request: 8038
+author: Alexandros Keramidas
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index b8b41a0d86c..2d1d48bf9da 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -368,6 +368,16 @@ production: &base
       #             login_url: '/cas/login',
       #             service_validate_url: '/cas/p3/serviceValidate',
       #             logout_url: '/cas/logout'} }
+      # - { name: 'authentiq',
+      #     # for client credentials (client ID and secret), go to https://www.authentiq.com/
+      #     app_id: 'YOUR_CLIENT_ID',
+      #     app_secret: 'YOUR_CLIENT_SECRET',
+      #     args: {
+      #             scope: 'aq:name email~rs address aq:push'
+      #             # redirect_uri parameter is optional except when 'gitlab.host' in this file is set to 'localhost'
+      #             # redirect_uri: 'YOUR_REDIRECT_URI'
+      #           }
+      #   }
       # - { name: 'github',
       #     app_id: 'YOUR_APP_ID',
       #     app_secret: 'YOUR_APP_SECRET',
diff --git a/doc/administration/auth/README.md b/doc/administration/auth/README.md
index 2fc5d0355b5..13bd501e397 100644
--- a/doc/administration/auth/README.md
+++ b/doc/administration/auth/README.md
@@ -6,7 +6,7 @@ providers.
 - [LDAP](ldap.md) Includes Active Directory, Apple Open Directory, Open LDAP,
   and 389 Server
 - [OmniAuth](../../integration/omniauth.md) Sign in via Twitter, GitHub, GitLab.com, Google,
-  Bitbucket, Facebook, Shibboleth, Crowd and Azure
+  Bitbucket, Facebook, Shibboleth, Crowd, Azure and Authentiq ID
 - [CAS](../../integration/cas.md) Configure GitLab to sign in using CAS
 - [SAML](../../integration/saml.md) Configure GitLab as a SAML 2.0 Service Provider
 - [Okta](okta.md) Configure GitLab to sign in using Okta
diff --git a/doc/administration/auth/authentiq.md b/doc/administration/auth/authentiq.md
new file mode 100644
index 00000000000..3f39539da95
--- /dev/null
+++ b/doc/administration/auth/authentiq.md
@@ -0,0 +1,69 @@
+# Authentiq OmniAuth Provider
+
+To enable the Authentiq OmniAuth provider for passwordless authentication you must register an application with Authentiq.
+
+Authentiq will generate a Client ID and the accompanying Client Secret for you to use.
+
+1. Get your Client credentials (Client ID and Client Secret) at [Authentiq](https://www.authentiq.com/register).
+
+2. On your GitLab server, open the configuration file:
+
+    For omnibus installation
+    ```sh
+    sudo editor /etc/gitlab/gitlab.rb
+    ```
+
+    For installations from source:
+
+    ```sh
+    sudo -u git -H editor /home/git/gitlab/config/gitlab.yml
+    ```
+    
+3. See [Initial OmniAuth Configuration](../../integration/omniauth.md#initial-omniauth-configuration) for initial settings to enable single sign-on and add Authentiq as an OAuth provider. 
+
+4. Add the provider configuration for Authentiq:
+    
+    For Omnibus packages:
+
+    ```ruby
+    gitlab_rails['omniauth_providers'] = [
+      {
+        "name" => "authentiq",
+        "app_id" => "YOUR_CLIENT_ID",
+        "app_secret" => "YOUR_CLIENT_SECRET",
+        "args" => { 
+               scope: 'aq:name email~rs aq:push'
+         }
+      }
+    ]
+    ```
+    
+    For installations from source:
+    
+    ```yaml
+    - { name: 'authentiq',
+        app_id: 'YOUR_CLIENT_ID',
+        app_secret: 'YOUR_CLIENT_SECRET',
+        args: {
+               scope: 'aq:name email~rs aq:push'
+              }
+      }
+    ```
+    
+    
+5. The `scope` is set to request the user's name, email (required and signed), and permission to send push notifications to sign in on subsequent visits.
+See [OmniAuth Authentiq strategy](https://github.com/AuthentiqID/omniauth-authentiq#scopes-and-redirect-uri-configuration) for more information on scopes and modifiers.
+
+6. Change 'YOUR_CLIENT_ID' and 'YOUR_CLIENT_SECRET' to the Client credentials you received in step 1.
+
+7. Save the configuration file.
+
+8. [Reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure) or [restart GitLab](../restart_gitlab.md#installations-from-source)
+   for the changes to take effect if you installed GitLab via Omnibus or from source respectively.
+
+On the sign in page there should now be an Authentiq icon below the regular sign in form. Click the icon to begin the authentication process. 
+
+- If the user has the Authentiq ID app installed in their iOS or Android device, they can scan the QR code, decide what personal details to share and sign in to your GitLab installation. 
+- If not they will be prompted to download the app and then follow the procedure above. 
+
+If everything goes right, the user will be returned to GitLab and will be signed in.
\ No newline at end of file
diff --git a/doc/integration/README.md b/doc/integration/README.md
index f8ffa6dcb7f..ed843c0bfa9 100644
--- a/doc/integration/README.md
+++ b/doc/integration/README.md
@@ -8,7 +8,7 @@ See the documentation below for details on how to configure these services.
 - [JIRA](../project_services/jira.md) Integrate with the JIRA issue tracker
 - [External issue tracker](external-issue-tracker.md) Redmine, JIRA, etc.
 - [LDAP](ldap.md) Set up sign in via LDAP
-- [OmniAuth](omniauth.md) Sign in via Twitter, GitHub, GitLab.com, Google, Bitbucket, Facebook, Shibboleth, SAML, Crowd and Azure
+- [OmniAuth](omniauth.md) Sign in via Twitter, GitHub, GitLab.com, Google, Bitbucket, Facebook, Shibboleth, SAML, Crowd, Azure and Authentiq ID
 - [SAML](saml.md) Configure GitLab as a SAML 2.0 Service Provider
 - [CAS](cas.md) Configure GitLab to sign in using CAS
 - [OAuth2 provider](oauth_provider.md) OAuth2 application creation
diff --git a/doc/integration/omniauth.md b/doc/integration/omniauth.md
index 8a55fce96fe..4c933cef9b7 100644
--- a/doc/integration/omniauth.md
+++ b/doc/integration/omniauth.md
@@ -30,6 +30,7 @@ contains some settings that are common for all providers.
 - [Crowd](crowd.md)
 - [Azure](azure.md)
 - [Auth0](auth0.md)
+- [Authentiq](../administration/auth/authentiq.md)
 
 ## Initial OmniAuth Configuration