Commit 28c7dba5 authored by Robert Speicher's avatar Robert Speicher

Merge remote-tracking branch 'ce/master'

parents 7802540d fea51969
---
title: Allow client authentication method to be configured for OpenID Connect
merge_request: 30683
author: Vincent Fazio
type: fixed
---
title: Make httpclient respect system SSL configuration
merge_request: 30749
author:
type: fixed
# frozen_string_literal: true
# By default, httpclient (and hence anything that uses rack-oauth2)
# ignores the system-wide SSL certificate configuration in favor of its
# own cacert.pem. This makes it impossible to use custom certificates
# without patching that file. Until
# https://github.com/nahi/httpclient/pull/386 is merged, we work around
# this limitation by forcing the HTTPClient SSL store to use the default
# system configuration.
module HTTPClient::SSLConfigDefaultPaths
def initialize(client)
super
set_default_paths
end
end
HTTPClient::SSLConfig.prepend HTTPClient::SSLConfigDefaultPaths
......@@ -81,6 +81,13 @@ The OpenID Connect will provide you with a client details and secret for you to
- `<your_oidc_url>` (optional) is the URL that points to the OpenID Connect provider. For example, `https://example.com/auth/realms/your-realm`.
If this value is not provided, the URL is constructed from the `client_options` in the following format: `<client_options.scheme>://<client_options.host>:<client_options.port>`.
- If `discovery` is set to `true`, the OpenID Connect provider will try to auto discover the client options using `<your_oidc_url>/.well-known/openid-configuration`. Defaults to `false`.
- `client_auth_method` (optional) specifies the method used for authenticating the client with the OpenID Connect provider.
- Supported values are:
- `basic` - HTTP Basic Authentication
- `jwt_bearer` - JWT based authentication (private key and client secret signing)
- `mtls` - Mutual TLS or X.509 certificate validation
- Any other value will POST the client id and secret in the request body
- If not specified, defaults to `basic`.
- `<uid_field>` (optional) is the field name from the `user_info` details that will be used as `uid` value. For example, `preferred_username`.
If this value is not provided or the field with the configured value is missing from the `user_info` details, the `uid` will use the `sub` field.
- `client_options` are the OpenID Connect client-specific options. Specifically:
......@@ -155,9 +162,9 @@ If you're having trouble, here are some tips:
`https://accounts.google.com/.well-known/openid-configuration`.
1. The OpenID Connect client uses HTTP Basic Authentication to send the
OAuth2 access token. For example, if you are seeing 401 errors upon
retrieving the `userinfo` endpoint, you may want to check your OpenID
Web server configuration. For example, for
OAuth2 access token if `client_auth_method` is not defined or if set to `basic`.
If you are seeing 401 errors upon retrieving the `userinfo` endpoint, you may
want to check your OpenID Web server configuration. For example, for
[oauth2-server-php](https://github.com/bshaffer/oauth2-server-php), you
may need to [add a configuration parameter to
Apache](https://github.com/bshaffer/oauth2-server-php/issues/926#issuecomment-387502778).
......@@ -54,6 +54,16 @@ module Gitlab
args[:strategy_class] = args[:strategy_class].constantize
end
# Providers that are known to depend on rack-oauth2, like those using
# Omniauth::Strategies::OpenIDConnect, need to be quirked so the
# client_auth_method argument value is passed as a symbol.
if (args[:strategy_class] == OmniAuth::Strategies::OpenIDConnect ||
args[:name] == 'openid_connect') &&
args[:client_auth_method].is_a?(String)
args[:client_auth_method] = args[:client_auth_method].to_sym
end
args
end
......
......@@ -83,5 +83,33 @@ describe Gitlab::OmniauthInitializer do
subject.execute([cas3_config])
end
it 'converts client_auth_method to a Symbol for openid_connect' do
openid_connect_config = {
'name' => 'openid_connect',
'args' => { name: 'openid_connect', client_auth_method: 'basic' }
}
expect(devise_config).to receive(:omniauth).with(
:openid_connect,
{ name: 'openid_connect', client_auth_method: :basic }
)
subject.execute([openid_connect_config])
end
it 'converts client_auth_method to a Symbol for strategy_class OpenIDConnect' do
openid_connect_config = {
'name' => 'openid_connect',
'args' => { strategy_class: OmniAuth::Strategies::OpenIDConnect, client_auth_method: 'jwt_bearer' }
}
expect(devise_config).to receive(:omniauth).with(
:openid_connect,
{ strategy_class: OmniAuth::Strategies::OpenIDConnect, client_auth_method: :jwt_bearer }
)
subject.execute([openid_connect_config])
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment