summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Gemfile1
-rw-r--r--Gemfile.lock4
-rw-r--r--changelogs/unreleased/add-jwt-strategy-to-gitlab-suite.yml5
-rw-r--r--config/gitlab.yml.example4
-rw-r--r--config/initializers/omniauth.rb1
-rw-r--r--doc/administration/auth/jwt.md2
-rw-r--r--lib/omni_auth/strategies/jwt.rb62
7 files changed, 71 insertions, 8 deletions
diff --git a/Gemfile b/Gemfile
index 71f27e0f6de..a8a59c976f6 100644
--- a/Gemfile
+++ b/Gemfile
@@ -51,7 +51,6 @@ gem 'omniauth-shibboleth', '~> 1.2.0'
gem 'omniauth-twitter', '~> 1.4'
gem 'omniauth_crowd', '~> 2.2.0'
gem 'omniauth-authentiq', '~> 0.3.1'
-gem 'omniauth-jwt', '~> 0.0.2'
gem 'rack-oauth2', '~> 1.2.1'
gem 'jwt', '~> 1.5.6'
diff --git a/Gemfile.lock b/Gemfile.lock
index d5e1c428e25..29161429f23 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -555,9 +555,6 @@ GEM
jwt (>= 1.5)
omniauth (>= 1.1.1)
omniauth-oauth2 (>= 1.5)
- omniauth-jwt (0.0.2)
- jwt
- omniauth (~> 1.1)
omniauth-kerberos (0.3.0)
omniauth-multipassword
timfel-krb5-auth (~> 0.8)
@@ -1119,7 +1116,6 @@ DEPENDENCIES
omniauth-github (~> 1.1.1)
omniauth-gitlab (~> 1.0.2)
omniauth-google-oauth2 (~> 0.5.3)
- omniauth-jwt (~> 0.0.2)
omniauth-kerberos (~> 0.3.0)
omniauth-oauth2-generic (~> 0.2.2)
omniauth-saml (~> 1.10)
diff --git a/changelogs/unreleased/add-jwt-strategy-to-gitlab-suite.yml b/changelogs/unreleased/add-jwt-strategy-to-gitlab-suite.yml
new file mode 100644
index 00000000000..22a839cef56
--- /dev/null
+++ b/changelogs/unreleased/add-jwt-strategy-to-gitlab-suite.yml
@@ -0,0 +1,5 @@
+---
+title: Ports omniauth-jwt gem onto GitLab OmniAuth Strategies suite
+merge_request: 18580
+author:
+type: fixed
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 8c39a1f2aa9..722ac67da0b 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -532,7 +532,7 @@ production: &base
# required_claims: ["name", "email"],
# info_map: { name: "name", email: "email" },
# auth_url: 'https://example.com/',
- # valid_within: nil,
+ # valid_within: null,
# }
# }
# - { name: 'saml',
@@ -823,7 +823,7 @@ test:
required_claims: ["name", "email"],
info_map: { name: "name", email: "email" },
auth_url: 'https://example.com/',
- valid_within: nil,
+ valid_within: null,
}
}
- { name: 'auth0',
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index 00baea08613..e33ebb25c4c 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -25,5 +25,6 @@ end
module OmniAuth
module Strategies
autoload :Bitbucket, Rails.root.join('lib', 'omni_auth', 'strategies', 'bitbucket')
+ autoload :Jwt, Rails.root.join('lib', 'omni_auth', 'strategies', 'jwt')
end
end
diff --git a/doc/administration/auth/jwt.md b/doc/administration/auth/jwt.md
index b51e705ab52..8b00f52ffc1 100644
--- a/doc/administration/auth/jwt.md
+++ b/doc/administration/auth/jwt.md
@@ -50,7 +50,7 @@ JWT will provide you with a secret key for you to use.
required_claims: ["name", "email"],
info_map: { name: "name", email: "email" },
auth_url: 'https://example.com/',
- valid_within: nil,
+ valid_within: null,
}
}
```
diff --git a/lib/omni_auth/strategies/jwt.rb b/lib/omni_auth/strategies/jwt.rb
new file mode 100644
index 00000000000..2349b2a28aa
--- /dev/null
+++ b/lib/omni_auth/strategies/jwt.rb
@@ -0,0 +1,62 @@
+require 'omniauth'
+require 'jwt'
+
+module OmniAuth
+ module Strategies
+ class JWT
+ ClaimInvalid = Class.new(StandardError)
+
+ include OmniAuth::Strategy
+
+ args [:secret]
+
+ option :secret, nil
+ option :algorithm, 'HS256'
+ option :uid_claim, 'email'
+ option :required_claims, %w(name email)
+ option :info_map, { name: "name", email: "email" }
+ option :auth_url, nil
+ option :valid_within, nil
+
+ uid { decoded[options.uid_claim] }
+
+ extra do
+ { raw_info: decoded }
+ end
+
+ info do
+ options.info_map.each_with_object({}) do |(k, v), h|
+ h[k.to_s] = decoded[v.to_s]
+ end
+ end
+
+ def request_phase
+ redirect options.auth_url
+ end
+
+ def decoded
+ @decoded ||= ::JWT.decode(request.params['jwt'], options.secret, options.algorithm).first
+
+ (options.required_claims || []).each do |field|
+ raise ClaimInvalid, "Missing required '#{field}' claim" unless @decoded.key?(field.to_s)
+ end
+
+ raise ClaimInvalid, "Missing required 'iat' claim" if options.valid_within && !@decoded["iat"]
+
+ if options.valid_within && (Time.now.to_i - @decoded["iat"]).abs > options.valid_within
+ raise ClaimInvalid, "'iat' timestamp claim is too skewed from present"
+ end
+
+ @decoded
+ end
+
+ def callback_phase
+ super
+ rescue ClaimInvalid => e
+ fail! :claim_invalid, e
+ end
+ end
+
+ class Jwt < JWT; end
+ end
+end