diff --git a/CHANGELOG b/CHANGELOG index 66d23dcfd4f..a6c761c3e2b 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -34,6 +34,7 @@ v 7.12.0 (unreleased) - You can not remove user if he/she is an only owner of group - User should be able to leave group. If not - show him proper message - User has ability to leave project + - Add an option to automatically sign-in with an Omniauth provider v 7.11.4 - Fix missing bullets when creating lists diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index b89b4c27350..4d976fe6630 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -2,6 +2,7 @@ class SessionsController < Devise::SessionsController include AuthenticatesWithTwoFactor prepend_before_action :authenticate_with_two_factor, only: [:create] + before_action :auto_sign_in_with_provider, only: [:new] def new redirect_path = @@ -75,6 +76,21 @@ class SessionsController < Devise::SessionsController end end + def auto_sign_in_with_provider + provider = Gitlab.config.omniauth.auto_sign_in_with_provider + return unless provider.present? + + # Auto sign in with an Omniauth provider only if the standard "you need to sign-in" alert is + # registered or no alert at all. In case of another alert (such as a blocked user), it is safer + # to do nothing to prevent redirection loops with certain Omniauth providers. + return unless flash[:alert].blank? || flash[:alert] == I18n.t('devise.failure.unauthenticated') + + # Prevent alert from popping up on the first page shown after authentication. + flash[:alert] = nil + + redirect_to omniauth_authorize_path(:user, provider.to_sym) + end + def valid_otp_attempt?(user) user.valid_otp?(user_params[:otp_attempt]) || user.invalidate_otp_backup_code!(user_params[:otp_attempt]) diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 5acfe548502..c7f22b9388b 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -182,6 +182,10 @@ production: &base # Allow login via Twitter, Google, etc. using OmniAuth providers enabled: false + # Uncomment this to automatically sign in with a specific omniauth provider's without + # showing GitLab's sign-in page (default: show the GitLab sign-in page) + # auto_sign_in_with_provider: saml + # CAUTION! # This allows users to login without having a user account first (default: false). # User accounts will be created automatically when authentication was successful. diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index 2351ef7b0ce..c234bd69e9a 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -87,6 +87,8 @@ end Settings['omniauth'] ||= Settingslogic.new({}) Settings.omniauth['enabled'] = false if Settings.omniauth['enabled'].nil? +Settings.omniauth['auto_sign_in_with_provider'] = false if Settings.omniauth['auto_sign_in_with_provider'].nil? + Settings.omniauth['providers'] ||= [] Settings['issues_tracker'] ||= {} diff --git a/config/initializers/7_omniauth.rb b/config/initializers/7_omniauth.rb index 103aa06ca32..6f1f267bf97 100644 --- a/config/initializers/7_omniauth.rb +++ b/config/initializers/7_omniauth.rb @@ -12,6 +12,8 @@ if Gitlab::LDAP::Config.enabled? end OmniAuth.config.allowed_request_methods = [:post] +#In case of auto sign-in, the GET method is used (users don't get to click on a button) +OmniAuth.config.allowed_request_methods << :get if Gitlab.config.omniauth.auto_sign_in_with_provider.present? OmniAuth.config.before_request_phase do |env| OmniAuth::RequestForgeryProtection.new(env).call end