Implement OpenID Connect identity provider
What does this MR do?
This implements an OpenID Connect 1.0 identity provider on top of the Doorkeeper OAuth framework (which is already used in Gitlab to manage API access), using the doorkeeper-openid_connect gem.
As per the discussion with @timothyandrew, we decided to only use the openid
scope for now, and make additional user attributes available there as well (the spec recommends putting them into the additional profile
and email
scopes). See doc/integration/openid_connect_provider.md
for more details.
This development is sponsored by @siemens (/cc @bufferoverflow)
Are there points in the code the reviewer needs to double check?
- Pending Omnibus MR: omnibus-gitlab!1222 (merged)
Why was this MR needed?
Adding OpenID Connect IdP functionality would simplify the usage of GitLab as identity provider by supporting a standard protocol that is already widely adopted and standardized, and enables simple cross vendor scenarios without implementing custom glue code per provider on client side.
Screenshots (if relevant)
Authorization prompt:
Application form:
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated -
API support added - Tests
-
Added for this feature/bug -
All builds are passing
-
-
Conform by the merge request performance guides - the extension only becomes active for OpenID Connect requests (OAuth request with
openid
scope), so normal Doorkeeper usage shouldn't be noticably affected
- the extension only becomes active for OpenID Connect requests (OAuth request with
-
Conform by the style guides -
Branch has no merge conflicts with master
(if it does - rebase it please) -
Squashed related commits together
What are the relevant issue numbers?
/cc authentication oauth