Notify users when Web IDE OAuth application is configured for a different domain
MR: Notify users when Web IDE OAuth app is configur... (gitlab!154584 - merged)
Description
As a user, I want to be informed when the Web IDE OAuth flow will redirect to a URL with a different domain than the one I'm using to access the GitLab application. In this way, I can inform the GitLab instance administrator about the configuration mismatch, and they can fix this problem.
Context
When setting up an OAuth application in a GitLab instance, you have to set a callback URL. When the user authorizes an OAuth application, the GitLab instance redirects the user to the callback URL specified.
If the callback URL is different from the URL that requested OAuth authorization, the Oauth flow will fail. In which situations could this happen? The GitLab instance might be behind a proxy server that uses a domain that is different from the domain used by the proxied server. You can read about these situations in the following feedback issue gitlab#385787 (comment 1237920068).
The following video demonstrates this problem:
- I access my local GitLab instance from a URL that uses the
gdk.test2
domain. - The Web IDE OAuth application is expecting a callback URL that uses the domain
gdk.test
. - As a result, the OAuth authorization fails
demo_different_domain_1080p.mov
When the Web IDE is loaded for the first time for the instance with the web_ide_oauth
flag enabled, an OAuth instance wide application is created at the code level based on the URL from the GitLab instance configuration. As mentioned above, there could be mismatches between this domain and the one users are accessing the GitLab application from.
We want to detect this scenario and communicate to the user that they should reach their GitLab instance administrator to fix this configuration problem.
Acceptance criteria
-
Inform users when they are visiting the GitLab application from a URL with a domain that is different from the domain in the OAuth callback URL. This should include a path for them to visit the correct URL or contact an admin. -
Update the callback URL passed to the Web IDE to read from the application's redirect URI instead of the same util that uses the URL from the GitLab instance configuration. Why? The admin's fix requires updating the OAuth application config and this can include adding multiple redirect URIs.
Design specifications
- Navigate to project and launch Web IDE
- Web IDE launches in new tab and starts loading
- Mismatched domain error: Display error message and resolution in Alert component
- Change: No longer redirect to User Preferences to display error message