-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Omniauth OpenID Connect login. #2953
base: master
Are you sure you want to change the base?
Conversation
Value for client_auth_method is 'query' in the example, but default value is 'basic' as described in [GitLab OmniAuth OIDC documentation, step 4.](https://docs.gitlab.com/ee/administration/auth/oidc.html).
I found the following differences between my request (#2953) and #2927:
|
OAUTH_OIDC_RESPONSE_TYPE=${OAUTH_OIDC_RESPONSE_TYPE:-'code'} | ||
OAUTH_OIDC_ISSUER=${OAUTH_OIDC_ISSUER:-} | ||
OAUTH_OIDC_DISCOVERY=${OAUTH_OIDC_DISCOVERY:-true} | ||
OAUTH_OIDC_CLIENT_AUTH_METHOD=${OAUTH_OIDC_CLIENT_AUTH_METHOD:-'basic'} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In https://docs.gitlab.com/ee/administration/auth/oidc.html the default value for client_auth_method
(OAUTH_OIDC_CLIENT_AUTH_METHOD
) is 'query'
. Does tis matter?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In https://docs.gitlab.com/ee/administration/auth/oidc.html under step 4, supported values for client_auth_method
are listed: basic
, jwt_bearer
, mtls
, Any other value posts the client ID and secret in the request body. If not specified, this value defaults to basic
. However query
is written in the examples. Finally, I decided to use the basic
value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@molnarpe Thanks for your PR and your helpful explanations. Hopefully my questions aren't to silly?
README.md
Outdated
| GitLab setting | environment variable | | ||
|----------------|----------------------| | ||
| `label` | `OAUTH_OIDC_LABEL` | | ||
| `icon` | `OAUTH_OIDC_ICON` | | ||
| `scope`| `OAUTH_OIDC_SCOPE` | | ||
| `response_type` | `OAUTH_OIDC_RESPONSE_TYPE` | | ||
| `issuer` | `OAUTH_OIDC_ISSUER` | | ||
| `discovery` | `OAUTH_OIDC_DISCOVERY` | | ||
| `client_auth_method` | `OAUTH_OIDC_CLIENT_AUTH_METHOD` | | ||
| `uid_field` | `OAUTH_OIDC_UID_FIELD` | | ||
| `send_scope_to_token_endpoint` | `OAUTH_OIDC_SEND_SCOPE_TO_TOKEN_EP` | | ||
| `pkce` | `OAUTH_OIDC_PKCE` | | ||
| `client_options.identifier` | `OAUTH_OIDC_CLIENT_ID` | | ||
| `client_options.secret` | `OAUTH_OIDC_CLIENT_SECRET` | | ||
| `client_options.redirect_uri` | `OAUTH_OIDC_REDIRECT_URI` | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you be so kind and add the default values defined in assets/runtime/functions
? I guess, this will be helpful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated the README.md.
…now listed in README.md.
Enables OpenID Connect OmniAuth authentication method in GitLab. OmniAuth OIDC documentation