From fe82ef0c013a266f59b84d924f6269d8ea6ed792 Mon Sep 17 00:00:00 2001 From: Tiago Botelho Date: Thu, 15 Mar 2018 15:19:55 +0000 Subject: [PATCH 1/3] Adds JWT omnianuth integration --- Gemfile | 1 + Gemfile.lock | 4 + ...-add-support-for-omniauth-jwt-provider.yml | 5 ++ config/gitlab.yml.example | 23 +++++- doc/integration/jwt.md | 74 +++++++++++++++++++ doc/integration/omniauth.md | 1 + 6 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 changelogs/unreleased/43512-add-support-for-omniauth-jwt-provider.yml create mode 100644 doc/integration/jwt.md diff --git a/Gemfile b/Gemfile index e423f4ba32f..ba936aab830 100644 --- a/Gemfile +++ b/Gemfile @@ -39,6 +39,7 @@ gem 'omniauth-shibboleth', '~> 1.2.0' gem 'omniauth-twitter', '~> 1.2.0' gem 'omniauth_crowd', '~> 2.2.0' gem 'omniauth-authentiq', '~> 0.3.1' +gem 'omniauth-jwt', '~> 0.0.2' gem 'rack-oauth2', '~> 1.2.1' gem 'jwt', '~> 1.5.6' diff --git a/Gemfile.lock b/Gemfile.lock index 1c6c7edb1a0..35cb0bdb225 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -552,6 +552,9 @@ GEM multi_json (~> 1.3) omniauth (>= 1.1.1) omniauth-oauth2 (>= 1.3.1) + omniauth-jwt (0.0.2) + jwt + omniauth (~> 1.1) omniauth-kerberos (0.3.0) omniauth-multipassword timfel-krb5-auth (~> 0.8) @@ -1113,6 +1116,7 @@ DEPENDENCIES omniauth-github (~> 1.1.1) omniauth-gitlab (~> 1.0.2) omniauth-google-oauth2 (~> 0.5.2) + omniauth-jwt (~> 0.0.2) omniauth-kerberos (~> 0.3.0) omniauth-oauth2-generic (~> 0.2.2) omniauth-saml (~> 1.10) diff --git a/changelogs/unreleased/43512-add-support-for-omniauth-jwt-provider.yml b/changelogs/unreleased/43512-add-support-for-omniauth-jwt-provider.yml new file mode 100644 index 00000000000..039d3de7168 --- /dev/null +++ b/changelogs/unreleased/43512-add-support-for-omniauth-jwt-provider.yml @@ -0,0 +1,5 @@ +--- +title: Adds support for OmniAuth JWT provider +merge_request: 17774 +author: +type: added diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index bd696a7f2c5..9c8ad49b562 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -481,7 +481,17 @@ production: &base # - { name: 'twitter', # app_id: 'YOUR_APP_ID', # app_secret: 'YOUR_APP_SECRET' } - # + # - { name: 'jwt', + # app_secret: 'YOUR_APP_SECRET', + # args: { + # algorithm: 'HS256', + # uid_claim: 'email', + # required_claims: ["name", "email"], + # info_map: { name: "name", email: "email" }, + # auth_url: 'https://example.com/', + # valid_within: nil, + # } + # } # - { name: 'saml', # label: 'Our SAML Provider', # groups_attribute: 'Groups', @@ -733,6 +743,17 @@ test: - { name: 'twitter', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET' } + - { name: 'jwt', + app_secret: 'YOUR_APP_SECRET', + args: { + algorithm: 'HS256', + uid_claim: 'email', + required_claims: ["name", "email"], + info_map: { name: "name", email: "email" }, + auth_url: 'https://example.com/', + valid_within: nil, + } + } - { name: 'auth0', args: { client_id: 'YOUR_AUTH0_CLIENT_ID', diff --git a/doc/integration/jwt.md b/doc/integration/jwt.md new file mode 100644 index 00000000000..765b7098b81 --- /dev/null +++ b/doc/integration/jwt.md @@ -0,0 +1,74 @@ +# Integrate your server with JWT + +To enable the JWT OmniAuth provider you must register your application with JWT. +JWT will provide you with a secret key for you to use. + +1. On your GitLab server, open the configuration file. + + For omnibus package: + + ```sh + sudo editor /etc/gitlab/gitlab.rb + ``` + + For installations from source: + + ```sh + cd /home/git/gitlab + + sudo -u git -H editor config/gitlab.yml + ``` + +1. See [Initial OmniAuth Configuration](omniauth.md#initial-omniauth-configuration) for initial settings. + +1. Add the provider configuration: + + For omnibus package: + + ```ruby + gitlab_rails['omniauth_providers'] = [ + { name: 'jwt', + app_secret: 'YOUR_APP_SECRET', + args: { + algorithm: 'HS256', + uid_claim: 'email', + required_claims: ["name", "email"], + info_maps: { name: "name", email: "email" }, + auth_url: 'https://example.com/', + valid_within: nil, + } + } + ] + ``` + + For installation from source: + + ``` + - { name: 'jwt', + app_secret: 'YOUR_APP_SECRET', + args: { + algorithm: 'HS256', + uid_claim: 'email', + required_claims: ["name", "email"], + info_map: { name: "name", email: "email" }, + auth_url: 'https://example.com/', + valid_within: nil, + } + } + ``` + + __For more information on each configuration option refer to the [OmniAuth JWT usage documentation](https://github.com/mbleigh/omniauth-jwt#usage).__ + +1. Change 'YOUR_APP_SECRET' to the client secret. + +1. Save the configuration file. + +1. [Reconfigure GitLab][] or [restart GitLab][] for the changes to take effect if you + installed GitLab via Omnibus or from source respectively. + +On the sign in page there should now be a JWT icon below the regular sign in form. +Click the icon to begin the authentication process. JWT will ask the user to sign in and authorize the GitLab application. +If everything goes well the user will be returned to GitLab and will be signed in. + +[reconfigure GitLab]: ../administration/restart_gitlab.md#omnibus-gitlab-reconfigure +[restart GitLab]: ../administration/restart_gitlab.md#installations-from-source diff --git a/doc/integration/omniauth.md b/doc/integration/omniauth.md index 20087a981f9..c6cc023d7bf 100644 --- a/doc/integration/omniauth.md +++ b/doc/integration/omniauth.md @@ -32,6 +32,7 @@ contains some settings that are common for all providers. - [Auth0](auth0.md) - [Authentiq](../administration/auth/authentiq.md) - [OAuth2Generic](oauth2_generic.md) +- [JWT](jwt.md) ## Initial OmniAuth Configuration From d2608d36e47a1527aa44ae0d4b19a97683ece092 Mon Sep 17 00:00:00 2001 From: Achilleas Pipinellis Date: Mon, 26 Mar 2018 17:48:12 +0200 Subject: [PATCH 2/3] Copyedit JWT docs --- doc/administration/auth/jwt.md | 72 +++++++++++++++++++++++++++++++++ doc/integration/jwt.md | 74 ---------------------------------- doc/integration/omniauth.md | 2 +- 3 files changed, 73 insertions(+), 75 deletions(-) create mode 100644 doc/administration/auth/jwt.md delete mode 100644 doc/integration/jwt.md diff --git a/doc/administration/auth/jwt.md b/doc/administration/auth/jwt.md new file mode 100644 index 00000000000..6de3a76a00e --- /dev/null +++ b/doc/administration/auth/jwt.md @@ -0,0 +1,72 @@ +# JWT OmniAuth provider + +To enable the JWT OmniAuth provider, you must register your application with JWT. +JWT will provide you with a secret key for you to use. + +1. On your GitLab server, open the configuration file. + + For Omnibus GitLab: + + ```sh + sudo editor /etc/gitlab/gitlab.rb + ``` + + For installations from source: + + ```sh + cd /home/git/gitlab + sudo -u git -H editor config/gitlab.yml + ``` + +1. See [Initial OmniAuth Configuration](../../integration/omniauth.md#initial-omniauth-configuration) for initial settings. +1. Add the provider configuration. + + For Omnibus GitLab: + + ```ruby + gitlab_rails['omniauth_providers'] = [ + { name: 'jwt', + app_secret: 'YOUR_APP_SECRET', + args: { + algorithm: 'HS256', + uid_claim: 'email', + required_claims: ["name", "email"], + info_maps: { name: "name", email: "email" }, + auth_url: 'https://example.com/', + valid_within: nil, + } + } + ] + ``` + + For installation from source: + + ``` + - { name: 'jwt', + app_secret: 'YOUR_APP_SECRET', + args: { + algorithm: 'HS256', + uid_claim: 'email', + required_claims: ["name", "email"], + info_map: { name: "name", email: "email" }, + auth_url: 'https://example.com/', + valid_within: nil, + } + } + ``` + + NOTE: **Note:** For more information on each configuration option refer to + the [OmniAuth JWT usage documentation](https://github.com/mbleigh/omniauth-jwt#usage). + +1. Change `YOUR_APP_SECRET` to the client secret. +1. Save the configuration file. +1. [Reconfigure GitLab][] or [restart GitLab][] for the changes to take effect if you + installed GitLab via Omnibus or from source respectively. + +On the sign in page there should now be a JWT icon below the regular sign in form. +Click the icon to begin the authentication process. JWT will ask the user to +sign in and authorize the GitLab application. If everything goes well, the user +will be redirected to GitLab and will be signed in. + +[reconfigure GitLab]: ../restart_gitlab.md#omnibus-gitlab-reconfigure +[restart GitLab]: ../restart_gitlab.md#installations-from-source diff --git a/doc/integration/jwt.md b/doc/integration/jwt.md deleted file mode 100644 index 765b7098b81..00000000000 --- a/doc/integration/jwt.md +++ /dev/null @@ -1,74 +0,0 @@ -# Integrate your server with JWT - -To enable the JWT OmniAuth provider you must register your application with JWT. -JWT will provide you with a secret key for you to use. - -1. On your GitLab server, open the configuration file. - - For omnibus package: - - ```sh - sudo editor /etc/gitlab/gitlab.rb - ``` - - For installations from source: - - ```sh - cd /home/git/gitlab - - sudo -u git -H editor config/gitlab.yml - ``` - -1. See [Initial OmniAuth Configuration](omniauth.md#initial-omniauth-configuration) for initial settings. - -1. Add the provider configuration: - - For omnibus package: - - ```ruby - gitlab_rails['omniauth_providers'] = [ - { name: 'jwt', - app_secret: 'YOUR_APP_SECRET', - args: { - algorithm: 'HS256', - uid_claim: 'email', - required_claims: ["name", "email"], - info_maps: { name: "name", email: "email" }, - auth_url: 'https://example.com/', - valid_within: nil, - } - } - ] - ``` - - For installation from source: - - ``` - - { name: 'jwt', - app_secret: 'YOUR_APP_SECRET', - args: { - algorithm: 'HS256', - uid_claim: 'email', - required_claims: ["name", "email"], - info_map: { name: "name", email: "email" }, - auth_url: 'https://example.com/', - valid_within: nil, - } - } - ``` - - __For more information on each configuration option refer to the [OmniAuth JWT usage documentation](https://github.com/mbleigh/omniauth-jwt#usage).__ - -1. Change 'YOUR_APP_SECRET' to the client secret. - -1. Save the configuration file. - -1. [Reconfigure GitLab][] or [restart GitLab][] for the changes to take effect if you - installed GitLab via Omnibus or from source respectively. - -On the sign in page there should now be a JWT icon below the regular sign in form. -Click the icon to begin the authentication process. JWT will ask the user to sign in and authorize the GitLab application. -If everything goes well the user will be returned to GitLab and will be signed in. - -[reconfigure GitLab]: ../administration/restart_gitlab.md#omnibus-gitlab-reconfigure -[restart GitLab]: ../administration/restart_gitlab.md#installations-from-source diff --git a/doc/integration/omniauth.md b/doc/integration/omniauth.md index c6cc023d7bf..3edde3de83d 100644 --- a/doc/integration/omniauth.md +++ b/doc/integration/omniauth.md @@ -32,7 +32,7 @@ contains some settings that are common for all providers. - [Auth0](auth0.md) - [Authentiq](../administration/auth/authentiq.md) - [OAuth2Generic](oauth2_generic.md) -- [JWT](jwt.md) +- [JWT](../administration/auth/jwt.md) ## Initial OmniAuth Configuration From 775796cdf776f00b5dafe27e2eaafff3f322c5a7 Mon Sep 17 00:00:00 2001 From: Achilleas Pipinellis Date: Mon, 26 Mar 2018 18:16:31 +0200 Subject: [PATCH 3/3] Clarify what auth_url should be [ci skip] --- doc/administration/auth/jwt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/administration/auth/jwt.md b/doc/administration/auth/jwt.md index 6de3a76a00e..b51e705ab52 100644 --- a/doc/administration/auth/jwt.md +++ b/doc/administration/auth/jwt.md @@ -58,7 +58,7 @@ JWT will provide you with a secret key for you to use. NOTE: **Note:** For more information on each configuration option refer to the [OmniAuth JWT usage documentation](https://github.com/mbleigh/omniauth-jwt#usage). -1. Change `YOUR_APP_SECRET` to the client secret. +1. Change `YOUR_APP_SECRET` to the client secret and set `auth_url` to your redirect URL. 1. Save the configuration file. 1. [Reconfigure GitLab][] or [restart GitLab][] for the changes to take effect if you installed GitLab via Omnibus or from source respectively.