Feature proposal: omniauth-kerberos-spnego
Kerberos is a single sign-on system. GitLab EE currently supports Kerberos via two different mechanisms:
- master password sign-in in the web UI
- SPNEGO authentication for Git HTTP access
To be honest, the current Kerberos web UI sign-in mechanism defeats the point of Kerberos, because the user has to give their master password to the GitLab server and trust that it does not get lost or leaked. With SPNEGO on the other hand the user's master password never leaves their laptop.
To put it differently, if we compare our current Kerberos web sign-in to Google authentication, it would be as if GitLab asks you to submit your Google password to GitLab when signing in via Google.
Having had to dive into the Git HTTP Kerberos SPNEGO code for !509 (merged) I realized we could re-use this code for web sign-ins. I am attaching a video and proof of concept implementation (based on !509 (merged)). The proof of concept is very simple, it consists of a new OmniAuth provider (omniauth-kerberos-spnego) and a controller with just one action (OmniauthKerberosSpnegoController#negotiate).
@JobV @DouweM do we want this as a feature? I am not aware of any customers who really want this (I suspect many use SAML instead of Kerberos for web sign-ins) but it would be an improvement over what we have now.
A proper implementation would need at least:
- tests
- UI elements on the sign-in page
- a reliable migration path for existing users that signed up with the 'master password' Kerberos integration