GitLab as OAuth2 provider for review environments
Problem to solve
We have a product where people may login using various OAuth2 providers. We already have registered 3 OAuth2 GitLab applications: for localhost, staging, and production.
For review environments, this is not as simple though, because review environments run on different domain names. It would be nice if this was possible, because it’s typically the simplest login flow for users doing code reviews, and this should actually be tested for breakage for some merge requests.
Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
- Cameron (Compliance Manager)
- Parker (Product Manager)
- Delaney (Development Team Lead)
- Presley (Product Designer)
- Sasha (Software Developer)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
- Rachel (Release Manager)
- Alex (Security Operations Engineer)
- Simone (Software Engineer in Test)
- Allison (Application Ops)
- Priyanka (Platform Engineer)
(Basically everyone who uses review environments)
User experience goal
The user should be able to utilize OAuth2 to login to review environments hosted on different domains.
Proposal
Proposal A (the easy solution)
Add support for wildcard callback URLs for applications. For example https://*.appsemble.review
.
If the redirect URI in the authorization request matches the wildcard, allow the user to login to the application.
When registering an application, allow wildcards. This should be documented in the help message of the redirect URI field. It should be discouraged, as this is less safe for typical use cases.
Proposal B
Create an OAuth2 application for review environments. The client credentials could be exposed as
CI_ENVIRONMENT_GITLAB_CLIENT_ID
and CI_ENVIRONMENT_GITLAB_CLIENT_SECRET
. When the user uses this
to login to GitLab, the authorization request page could link to the relevant review environment and
merge request (if available). If the review environment is torn down, the client credentials are
invalidated automatically.
Perhaps there should be a setting to explicitly enable this feature.
This requires documentation updates for the CI variables and review environments.
Further details
I am currently able to login to https://staging.appsemble.review, but not https://review-*.appsemble.review. This means that in review environments I need to finish the email registration process, which takes more time.
Permissions and Security
The user should be able to create a review environment.
Documentation
See proposals.