-
Notifications
You must be signed in to change notification settings - Fork 36
Conversation
Codecov Report
@@ Coverage Diff @@
## master #29 +/- ##
=======================================
Coverage 34.87% 34.87%
=======================================
Files 1 1
Lines 195 195
=======================================
Hits 68 68
Misses 121 121
Partials 6 6
Continue to review full report at Codecov.
|
I like this, but I worry that it will be a subtle, breaking change for existing users of Kuberos who do use the removed scopes. What if we renamed
What do you think? |
I second to that. My experiments with Kuberos + GitLab-CE failed for this very reason. |
9135763
to
aca93d7
Compare
@Miouge1 I haven't heard from you in a while. Are you still interested in working on this PR? If not I can take a look at it next time I get a block of time to work on Kuberos. |
Sure. I kind of forgot about this PR. Latest commit should cover the
So it looks like it would fit the comment from 21st of March? @codepainters note that OpenID is broken in GitLab since 10.6, see this GitLab issue |
@Miouge1 yes, I'm aware of this problem, I already have a workaround deployed (serving the discovery data statically with NginX). I hit another problem - |
@codepainters yes it's a known issue with GitLab OIDC, basically their refresh token is missing the id_token field. There is a GitLab issue about it Any workaround or input is welcome, since I'm running into the same problems :) |
Thanks for the hint. As a temporary workaround I hacked GitLab - file |
Actually I've just realised there are also these GitLab issues (and the pull request mentioned at the top of this ticket): |
@codepainters I'm trying to push GitLab to get their act together on the OIDC front, meanwhile I am using auth0.com as a middleware. The free version worked out of the box for me. |
@Miouge1 This looks good! Thanks for working on this. |
Thanks guys! Docker image is updated as well, right? |
The email and profile scopes are optional in the OpenID spec, therefore it would increase compatibility to not include them in the DefaultScopes. They can always be re-added with
--extra-scopes
where necessary.I have tested this with GitLab as an OpenID Provider, which does not support the profile or email scopes.
This works best with #28