Gitlab Authentication not working

[serge-kilimoff]

Gitlab authentication is not working.
GITLAB_APP_ID, GITLAB_APP_SECRET and GITLAB_APP_URI have been correctly entered.
When redirecting to my Gitlab (self-hosted), the url contains an empty scope = parameter. However, Gitlab does not seem (or no longer) to accept empty scopes.

A temporary fix that I made on my side is to add in the file app / Auth / Access / SocialAuthService.php, in the function getSocialDriver an additional condition:

    /**
     * Provide redirect options per service for the Laravel Socialite driver
     */
    public function getSocialDriver(string $driverName): Provider
    {
        $driver = $this->socialite->driver($driverName);

        if ($driverName === 'google' && config('services.google.select_account')) {
            $driver->with(['prompt' => 'select_account']);
        }
       
        if ($driverName === 'azure') {
            $driver->with(['resource' => 'https://graph.windows.net']);
        }
        // BEGIN Dirty-fix
        if ($driverName === 'gitlab') {
            $driver = $driver->setScopes(['read_user']);
        }
        // END dirty-fix
        return $driver;
    }

I put read_user, but it's definitely too high a permission.

Gitlab version: 13.5.3

Thank you very much !

[ssddanbrown]

Thanks for reporting @serge-kilimoff.

I've just spent some time investigating this.

Looks like previously you could create an "Application" within GitLab without selecting scopes, which would then work when no scopes are provided. Looks like you can no longer do this since you're forced to make a selection. I'm unsure if this would previously give that application all permissions or a minimal set. Potentially it would have given all since I see that, when you select all scopes at least, it does enable the current functionality to work. Of course it is better to use the minimal scope.

This is something I'll look to create a PR for in the upstream package we're using. Before I do, You mentioned:

I put read_user, but it's definitely too high a permission.

Is there a better permission to use? That looks to be the most applicable within my view and is what I'm seeing in use by some other packages.

Resources for my future reference
laravel/socialite@60e5809
https://github.com/SocialiteProviders/Providers/tree/master/src/GitLab

[serge-kilimoff]

I confirm that it worked before without scope, and that it was possible to put an application without choosing anything. I still have apps configured this way, but that's old story now.
Regarding the second point, I am not English speaking (French speaking) and I sometimes use translation software (I have no problem reading, but writing is a little more complicated). I didn't mean "definitely too high permission" but "are there any lower permissions?", like a question.
read_user has read-only access to all user data, sounds like tip-top to me for this usage.

[ssddanbrown]

@serge-kilimoff Awesome, Thanks for confirming.

[ssddanbrown]

PR opened in SocialiteProviders/Providers#582

Will look to include in next feature release (v0.31) once merged. Wouldn't really look to include in a sooner patch release since it could be a breaking change in some instances.

Note to self - For Update Docs when Released

"Applications" within GitLab, created for BookStack authentication use, will need to have the read_user scope assigned. Not having this scope may lead to errors when users attempt to authenticate via GitLab.

Also need to document the PHP version change required as per changes in 2b603b0.

[cfreeman29]

Would like to add I had this same exact problem with a docker image of Bookstack and an on-prem instance of gitlab. After using the hot fix with it worked as intended.

[ssddanbrown]

PR was merged and included in the project as part of 2b603b0 so I'll therefore close this.

Will be part of BookStack v0.31.