Merge branch '43512-add-support-for-omniauth-jwt-provider' into 'master'

Resolve "Add support for omniauth-jwt provider" Closes #43512 See merge request gitlab-org/gitlab-ce!17774

Merge branch '43512-add-support-for-omniauth-jwt-provider' into 'master'
678af224 · Douwe Maan · ffa73498 · 775796cd · 678af224 · 678af224
Commit 678af224 authored 6 years ago by Douwe Maan
--- a/Gemfile
+++ b/Gemfile
@@ -52,6 +52,7 @@ gem 'omniauth-shibboleth', '~> 1.2.0'
 gem 'omniauth-twitter', '~> 1.4'
 gem 'omniauth_crowd', '~> 2.2.0'
 gem 'omniauth-authentiq', '~> 0.3.1'
+gem 'omniauth-jwt', '~> 0.0.2'
 gem 'rack-oauth2', '~> 1.2.1'
 gem 'jwt', '~> 1.5.6'
  

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -554,6 +554,9 @@ GEM
      multi_json (~> 1.3)
      omniauth (>= 1.1.1)
      omniauth-oauth2 (>= 1.3.1)
+    omniauth-jwt (0.0.2)
+      jwt
+      omniauth (~> 1.1)
    omniauth-kerberos (0.3.0)
      omniauth-multipassword
      timfel-krb5-auth (~> 0.8)
@@ -1115,6 +1118,7 @@ DEPENDENCIES
  omniauth-github (~> 1.1.1)
  omniauth-gitlab (~> 1.0.2)
  omniauth-google-oauth2 (~> 0.5.2)
+  omniauth-jwt (~> 0.0.2)
  omniauth-kerberos (~> 0.3.0)
  omniauth-oauth2-generic (~> 0.2.2)
  omniauth-saml (~> 1.10)

--- a/changelogs/unreleased/43512-add-support-for-omniauth-jwt-provider.yml
+++ b/changelogs/unreleased/43512-add-support-for-omniauth-jwt-provider.yml
+---
+title: Adds support for OmniAuth JWT provider
+merge_request: 17774
+author:
+type: added
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -518,7 +518,17 @@ production: &base
      # - { name: 'twitter',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
-      #
+      # - { name: 'jwt',
+      #     app_secret: 'YOUR_APP_SECRET',
+      #     args: {
+      #             algorithm: 'HS256',
+      #             uid_claim: 'email',
+      #             required_claims: ["name", "email"],
+      #             info_map: { name: "name", email: "email" },
+      #             auth_url: 'https://example.com/',
+      #             valid_within: nil,
+      #           }
+      #   }
      # - { name: 'saml',
      #     label: 'Our SAML Provider',
      #     groups_attribute: 'Groups',
@@ -799,6 +809,17 @@ test:
      - { name: 'twitter',
          app_id: 'YOUR_APP_ID',
          app_secret: 'YOUR_APP_SECRET' }
+      - { name: 'jwt',
+          app_secret: 'YOUR_APP_SECRET',
+          args: {
+                  algorithm: 'HS256',
+                  uid_claim: 'email',
+                  required_claims: ["name", "email"],
+                  info_map: { name: "name", email: "email" },
+                  auth_url: 'https://example.com/',
+                  valid_within: nil,
+                }
+        }
      - { name: 'auth0',
          args: {
            client_id: 'YOUR_AUTH0_CLIENT_ID',

--- a/doc/administration/auth/jwt.md
+++ b/doc/administration/auth/jwt.md
+# JWT OmniAuth provider
+
+To enable the JWT OmniAuth provider, you must register your application with JWT.
+JWT will provide you with a secret key for you to use.
+
+1.  On your GitLab server, open the configuration file.
+
+    For Omnibus GitLab:
+
+    ```sh
+    sudo editor /etc/gitlab/gitlab.rb
+    ```
+
+    For installations from source:
+
+    ```sh
+    cd /home/git/gitlab
+    sudo -u git -H editor config/gitlab.yml
+    ```
+
+1.  See [Initial OmniAuth Configuration](../../integration/omniauth.md#initial-omniauth-configuration) for initial settings.
+1.  Add the provider configuration.
+
+    For Omnibus GitLab:
+
+    ```ruby
+    gitlab_rails['omniauth_providers'] = [
+      { name: 'jwt',
+        app_secret: 'YOUR_APP_SECRET',
+        args: {
+                algorithm: 'HS256',
+                uid_claim: 'email',
+                required_claims: ["name", "email"],
+                info_maps: { name: "name", email: "email" },
+                auth_url: 'https://example.com/',
+                valid_within: nil,
+              }
+      }
+    ]
+    ```
+
+    For installation from source:
+
+    ```
+    - { name: 'jwt',
+        app_secret: 'YOUR_APP_SECRET',
+        args: {
+                algorithm: 'HS256',
+                uid_claim: 'email',
+                required_claims: ["name", "email"],
+                info_map: { name: "name", email: "email" },
+                auth_url: 'https://example.com/',
+                valid_within: nil,
+              }
+      }
+    ```
+
+    NOTE: **Note:** For more information on each configuration option refer to
+    the [OmniAuth JWT usage documentation](https://github.com/mbleigh/omniauth-jwt#usage).
+
+1.  Change `YOUR_APP_SECRET` to the client secret and set `auth_url` to your redirect URL.
+1.  Save the configuration file.
+1.  [Reconfigure GitLab][] or [restart GitLab][] for the changes to take effect if you
+    installed GitLab via Omnibus or from source respectively.
+
+On the sign in page there should now be a JWT icon below the regular sign in form.
+Click the icon to begin the authentication process. JWT will ask the user to
+sign in and authorize the GitLab application. If everything goes well, the user
+will be redirected to GitLab and will be signed in.
+
+[reconfigure GitLab]: ../restart_gitlab.md#omnibus-gitlab-reconfigure
+[restart GitLab]: ../restart_gitlab.md#installations-from-source
--- a/doc/integration/omniauth.md
+++ b/doc/integration/omniauth.md
@@ -32,6 +32,7 @@ contains some settings that are common for all providers.
 - [Auth0](auth0.md)
 - [Authentiq](../administration/auth/authentiq.md)
 - [OAuth2Generic](oauth2_generic.md)
+- [JWT](../administration/auth/jwt.md)
  
 ## Initial OmniAuth Configuration