foreman icon indicating copy to clipboard operation
foreman copied to clipboard

Published 20 hours ago verified publisher icon theforeman

Fixes #35122 - Support gitlab oidc provider

Open j-m-harris opened this issue 2 years ago • 10 comments

j-m-harris avatar Jun 28 '22 10:06 j-m-harris

Can one of the admins verify this patch?

theforeman-bot avatar Jun 28 '22 10:06 theforeman-bot

Can one of the admins verify this patch?

theforeman-bot avatar Jun 28 '22 10:06 theforeman-bot

Can one of the admins verify this patch?

theforeman-bot avatar Jun 28 '22 10:06 theforeman-bot

Issues: #35122

theforeman-bot avatar Jun 28 '22 10:06 theforeman-bot

[test foreman]

ehelms avatar Jun 28 '22 14:06 ehelms

ok to test

stejskalleos avatar Jun 30 '22 06:06 stejskalleos

Hi @j-m-harris, thanks for contributing to the Foreman, I took quick look and have some points / questions:

  • The integration test fails are not related to your changes, but failing unit/sso/apache_test.rb probably is
  • test/unit/sso/openid_connect_test.rb should be also updated and cover these new changes
  • Are there any changes in behavior that needs to be reflected in docs - Configuring external auth admin?
  • Could you post instructions how to setup simple dev env and what are the testing steps for this pull request?

If anything feel free to ping me on IRC (@lstejska)

stejskalleos avatar Jun 30 '22 07:06 stejskalleos

Thanks for the feedback @stejskalleos, agreed the test coverage and documentation need updating for the gitlab oidc integration.

j-m-harris avatar Jun 30 '22 16:06 j-m-harris

@stejskalleos Fixed the test regression and added coverage for the new logic in openid_connect. Fixed some reversed assert_equal calls elsewhere in that test suite too.

Setting up gitlab as the oidc provider for foreman is similar to the keycloak integration. I can format the following into the foreman docs.

Configure GitLab

  • Create an Instance OAuth application.
    • Name: Foreman
    • Redirect URI: https://foreman.example.com/users/extlogin/redirect_uri
    • Trusted: False
    • Confidental: True
    • Scopes: openid, profile, email

Configure foreman

  • Go to Administer - Settings - Authentication
  • Check 'Authorise login delegation auth source user autocreate' is set to 'External' (enables auto-creation of users from external OpenID provider).
  • Set 'Authorise login delegation' to 'Yes'
  • Set OIDC Algorithm to RS256
    • (id_token_signing_alg_values_supported from gitlab openid-configuration)
  • Set OIDC JWKs URL to https://gitlab.example.com/oauth/discovery/keys
    • (jwks_uri from gitlab openid-configuration)
  • Set OIDC Issuer to https://gitlab.example.com
    • (issuer from gitlab openid-configuration)
  • Leave OIDC Audience as ''
  • Install apache module libapache2-mod-auth-openidc
  • Configure apache module by creating /etc/apache2/conf.d/05-foreman-ssl.d/01-foreman-oidc.conf with following contents.
    • (This assumes foreman is configured by /etc/apache2/sites-available/05-foreman-ssl.conf with an IncludeOptional "/etc/apache2/conf.d/05-foreman-ssl.d/*.conf" line within.)
OIDCProviderMetadataURL https://gitlab.example.com/.well-known/openid-configuration
OIDCRedirectURI https://foreman.example.com/users/extlogin/redirect_uri
OIDCClientID "<application id from gitlab>"
OIDCClientSecret "<secret from gitlab>"
OIDCCryptoPassphrase "exec:/bin/bash -c \"head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32\""
OIDCScope "openid profile email"
# Provides HTTP_OIDC_ID_TOKEN_PAYLOAD header variable.
OIDCPassIDTokenAs "payload"
# Provides HTTP_OIDC_USERINFO_JSON header variable.
OIDCPassUserInfoAs "json"

<Location /users/extlogin>
  AuthType openid-connect
  Require valid-user
</Location>

j-m-harris avatar Jul 01 '22 21:07 j-m-harris

[test foreman]

stejskalleos avatar Jul 13 '22 08:07 stejskalleos

@j-m-harris any updates?

stejskalleos avatar Oct 03 '22 06:10 stejskalleos

I'm closing the PR, it's been without any update since the Oct 3, 2022.

stejskalleos avatar Jul 03 '23 10:07 stejskalleos