Allow for alternate to Bearer Tokens authentication for generic HTTP Endpoints
Release notes
Users are looking for an additional layer of security when it comes to setting up their alerts in GitLab. Instead of just a Webhook URL and authorization key (set by a bearer token), they'd like alternative ways to authenticate.
One alternative way to authenticate is via HTTP Basic authentication (either though headers, or set in the URL).
Problem to solve
Users are looking for an additional layer of security when it comes to setting up their alerts in GitLab. Instead of just a Webhook URL and authorization key (set by a bearer token), they'd like alternative ways to authenticate.
One alternative way to authenticate is via HTTP Basic authentication (either though headers, or set in the URL).
Intended users
User experience goal
Proposal
- Add HTTP Basic Authentication
- Investigate alternative solutions, such as 'no auth', with token in the URL path.
Further details
This idea initially came from this Slack thread via @tatkins:
I have a question from a customer:
We also would like to use it for Elastic Watchers, however, it apparently does not support bearer tokens. The same situation goes with Pingdom as well. Is there any workaround to integrate especially Elastic with GitLab Alerts? If not, do you have any plans to support these platforms? (e.g. username and password support)
You can see supported Elastic Watcher webhook settings here: https://www.elastic.co/guide/en/elasticsearch/reference/current/actions-webhook.html, where HTTP basic auth is natively supported.
Additional info for RPI: Documentation: https://docs.gitlab.com/ee/operations/incident_management/integrations.html#authorization Image: )