Challenge (ArkoseLabs) users that sign up with external OAuth providers
Implements https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/96
What does this MR do and why?
This MR builds on top of !107402 (merged) to redirect users that sign up using external OAuth providers (Google, Twitter, GitHub, etc.) to a page where they are shown the ArkoseLabs challenge to solve.
Why?
The identity verification methods required for new users depend on their ArkoseLabs risk band. That is:
-
High
risk band - credit card, phone number, and email verification is required -
Medium
risk band - phone number, and email verification is required -
Low
risk band - email verification is required
An ArkoseLabs risk band is assigned to a user after they have successfully solved the ArkoseLabs challenge.
Screenshots or screen recordings
Screen_Recording_2023-01-13_at_10.23.39_AM
How to set up and validate locally
Set up
-
Set up GDK with Google OAuth2 Follow these instructions
This should be what your gitlab.yml should look like
production: &base omniauth: # Allow login via Twitter, Google, etc. using OmniAuth providers enabled: true development: <<: *base omniauth: allow_single_sign_on: true block_auto_created_users: false external_providers: ['google_oauth2'] providers: - { name: 'google_oauth2', app_id: 'your-app-id', app_secret: 'your-app-secret', args: { access_type: 'offline', approval_prompt: '' } }
Check that you have the correct omniauth config via Rails console:
> Gitlab.config.omniauth => {"block_auto_created_users"=>false, "allow_single_sign_on"=>true, "external_providers"=>["google_oauth2"], "providers"=> [{"name"=>"google_oauth2", "app_id"=>"your-app-id", "app_secret"=>"your-app-secret", "args"=>{"access_type"=>"offline", "approval_prompt"=>""}}], "enabled"=>true, ...}
-
Toggle relevant feature flags and configure ArkoseLabs integration:
$ rails console > Feature.enable(:identity_verification) > Feature.enable(:arkose_labs_oauth_signup_challenge) > ApplicationSetting.first.update({ arkose_labs_public_api_key: '****', arkose_labs_private_api_key: '****', arkose_labs_namespace: 'client' }) > Feature.disable(:identity_verification_phone_number) # To make testing simpler, we turn off phone num verification > Feature.disable(:identity_verification_credit_card) # To make testing simpler, we turn off credit card verification
Notes:
- Credentials are available in GitLab 1Password Engineering Vault
-
Force ArkoseLabs to always require the user to solve the challenge. Update
ee/app/assets/javascripts/arkose_labs/components/identity_verification_arkose_app.vue
arkoseObject.setConfig({ + data: { id: 'ML_defence' }, // ADD THIS LINE mode: 'inline', selector: `.${this.arkoseContainerClass}`, onShown: this.onArkoseLabsIframeShown, onCompleted: this.passArkoseLabsChallenge, });
Validate
-
Visit the registration page
-
Click
Register with: Google
-
Sign in with Google using any test user you configured in your Google OAuth client
-
Validate that after signing in (user record is created at this point) you are redirected to the page (
/users/identity_verification/arkose_labs_challenge
) where the ArkoseLabs challenge is shown: -
Solve the challenge
-
Validate that you are redirected to the identity verification page (
/users/identity_verification
) showing the email verification step: -
From the Rails console, validate that the new user has an assigned
arkose_risk_band
:> User.last.arkose_risk_band => "high"
User
record from the Rails console with the following command: User.last.destroy
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.