OpenStack authentication integration (i.e. make GitLab use the OpenStack Identity API to authenticate a user's username/password)
Description
The following is a feedback from one GitLab World Tour attendee:
This is so we can migrate an existing Gogs server (which currently authenticates against OpenStack with some custom code) over to GitLab; the migration of repos from Gogs to GitLab is another issue that we can figure out later, but for now…
Proposal
Here's a link to the OpenStack Identities API (specifically /v3/auth/tokens: Password authentication with unscoped authorization):
… and another to some details about how the Identities API works:
Really, it's just HTTP POST to a configured URL, with a JSON body that contains the username & password, and if a 2xx response comes back, it means the user is authenticated. The response also returns a UUID for the user, which can be used as an identifier in the same way e.g. 'sAMAccountName' is used for LDAP ActiveDirectory). Here's an example using cURL:
In case of a bad username or password a "401 Unauthorized" response is received, specifically:
HTTP/1.1 401 Unauthorized
Date: Tue, 01 Nov 2016 18:08:39 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: X-Auth-Token
X-Distribution: Ubuntu
x-openstack-request-id: XXXX
WWW-Authenticate: XXXX
Content-Length: 114
Content-Type: application/json
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
Hopefully, it's as simple to implement as it looks. I think it's just a matter of someone who knows what they're doing to do it :)
cc @JobV