-
Notifications
You must be signed in to change notification settings - Fork 11.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth: Support Gitlab OIDC scopes #69890
Conversation
pkg/login/social/generic_oauth.go
Outdated
@@ -218,64 +214,16 @@ func (s *SocialGenericOAuth) extractFromToken(token *oauth2.Token) *UserInfoJson | |||
|
|||
idToken := token.Extra(idTokenAttribute) | |||
if idToken == nil { | |||
s.log.Debug("No id_token found", "token", token) | |||
s.log.Debug("No id_token found", "token", idToken) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need to log empty token?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo, thanks for pointing it out
} | ||
}() | ||
|
||
rawJSON, err = io.ReadAll(fr) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also validate the format of the uncompressed data ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM from a security point of view.
From old memories what really matters for GitLab SSO is email_verified
AND active account.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Left some minor comments.
} | ||
|
||
rawJSON, err := base64.RawURLEncoding.DecodeString(matched[2]) | ||
rawJSON, err := s.retrieveRawIDToken(idToken) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! It's much neater with ID token parsing logic tucked away.
payload: `{ | ||
"iss": "https://gitlab.com", | ||
"sub": "12345678", | ||
"aud": "d77db857f4696c5c5ff6cee64f3ed26e709aac8f1c644dc4b9d5fd64f825d583", | ||
"exp": 1686124040, | ||
"iat": 1686123920, | ||
"auth_time": 1686119303, | ||
"sub_legacy": "b4359d63eaf90d4b1f3d71d291353b75a676bf73fdf734d4ff009eca5c69bb70", | ||
"name": "John Doe", | ||
"nickname": "johndoe", | ||
"preferred_username": "johndoe", | ||
"email": "johndoe@example.com", | ||
"email_verified": true, | ||
"profile": "https://gitlab.com/johndoe", | ||
"picture": "https://gitlab.com/uploads/-/system/user/avatar/1234567/avatar.png", | ||
"groups_direct": [ | ||
"admins" | ||
] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: could you only specify whether the email has or has not been verified for each test instead of specifying the full payload? Just to make them more readable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good
3383bed
to
b8ca0e9
Compare
What is this feature?
Why do we need this feature?
Reduces the amount of access Grafana requires to GitLab.
Who is this feature for?
Instances using GitLab OAuth
Please check that: