Google OAuth - Prospect Questions on linking existing users to OAuth in bulk and other items

Background:

One prospect, Loblaw, which is a huge retailer in Canada, has moved all of their teams to use GSuite, and want to ensure their on-prem installation with Google OAuth2 is working as they expect. They have set up Google OAuth on their instance, and they are currently in talks to move to Ultimate. These issues with Google OAuth has been a blocker for their upgrade.

What questions are you trying to answer?

  1. They say that with the current OAuth configuration, GitLab gives an error 'user not found, please create in GitLab first before signing in with OAuth.' They want the user to be able to log in with OAuth on their first log in, ensuring no password is stored in the db. (I plan to submit this to Support once I have a confirmed GL version).

  2. What is the state of users when Google OAuth is disabled? Can we add documentation around what this looks like?

He does not like my feedback of: have users create passwords.He thinks there should be a better workflow to accomplish this. He wants feedback on the below reported bug.

https://gitlab.com/gitlab-org/gitlab-ce/issues/1706

3. How do you migrate users who are currently in GitLab, but not using OAuth, in one migration so not every user has to enable OAuth themselves, from the UI?

GitLab documentation of enabling OmniAuth for an Existing User is linked below. It states that to enable existing users to log in with OAuth, it needs to be done manually in the UI, user by user. Loblaw says that many other tools like Jira allow support linking for existing accounts automatically on next log in. He says this functionality is crucial for them as they have 300+ users already in the system.

https://docs.gitlab.com/ee/integration/omniauth.html#enable-omniauth-for-an-existing-user

What is the backstory of this project and how does it impact the approach?

The customer thought using Google OAuth would be easier to do in terms of having users log in, migrating existing users in bulk, and understanding what happens if they disable OAuth.

This is a blocker for this customer to move to a higher tier of GitLab.

What do you already know about the areas you are exploring?

I have done a ton of research on OAuth 2 and how it works, but am unsure of what is in GitLab's control and what relates to OmniAuth2 or GSuite.

What does success look like at the end of the project?

Links / references:

cc: @jordan_goodwin @jeremy_

Edited by Kristie Thomas