Possible improvement of JWT authentication

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Problem to solve

Recently, I managed to implement the OmniAuth to allow users to log in my personal Gitlab via JWT which is provided by Rapid Connect(https://rapid.aaf.edu.au/), however, it turned out the implementation was not easy since the given instruction on Gitlab is not sufficient or just wrong. Here are some possible improvements which the maintenance team may be interested in

Target audience

People who want to use Rapid Connect or other similar third-parties to authenticate their personal Gitlab

Further details

After users lick jwt button in login page, users are able to be redirected to the third party to authenticate: image

image

The goal of this feature has been illustrated in the document, the reason I refined this is becuase the configuration given in the document is not sufficient to make it work, this feature can be added in the lastest version of gitlab.

Proposal

  1. the callback URL is not given in the instruction(https://docs.gitlab.com/ee/administration/auth/jwt.html), and it should be: URL + /users/auth/jwt/callback, for example, the home page of a website is: http://juno.aurin.org.au/, then the callback url should be http://juno.aurin.org.au/users/auth/jwt/callback.

  2. Gitlab failed to parse jwt token, since the it is programmed to receive the parameters "jwt" ( this can be seen in /opt/gitlab/embedded/service/gitlab-rails/lib/omni_auth/strategies/jwt.rb , @decoded ||= ::JWT.decode(request.params['jwt'], options.secret, options.algorithm).first ) , however some other types of jwt hold different types of parameter, like Rapid Connect, where "assertion" is expected, to make it work, I changed

@decoded ||= ::JWT.decode(request.params['jwt'], options.secret, options.algorithm).first
into
@decoded ||= ::JWT.decode(request.params['assertion'], options.secret, options.algorithm).first
  1. Solve "Can't verify CSRF token authenticity" problem edit /opt/gitlab/embedded/service/gitlab-rails/app/controllers/omniauth_callbacks_controller.rb

a) after class, add:

skip_before_action :verify_authenticity_token

b) comment

#protect_from_forgery except: [:kerberos, :saml, :cas3], prepend: true

Reconfigure and restart then the third party integration will work as expected.

To improve the Gitlab community, could you maintenance team do either:

a) Update the instruction(https://docs.gitlab.com/ee/administration/auth/jwt.html), add above 3 pieces of configuration I gave above.

or

b) In a more elegant way, create a subclass for this scenario, so no extra configuration is needed.

************** new *****

3:10 pm 2-Jan-2019:

Sorry, I missed something, Acually in item 2, I also added 3 lines of code below: @decoded ||= ::JWT.decode(request.params['assertion'], options.secret, options.algorithm).first:

@attributes = @decoded["https://aaf.edu.au/attributes"]

@decoded["name"] = @attributes["displayname"]

@decoded["email"] = @attributes["mail"]

the reason is, if we look into the decoded jwt provided by Rapid Connect: image

It is clear to see the mail and displayname are not on the top level. so I extracted out and put them on the top level

Edited by 🤖 GitLab Bot 🤖