Skip to content

Switch to upstream omniauth_openid_connect gem

Stan Hu requested to merge sh-update-upstream-omniauth into master

What does this MR do and why?

We forked the original gem a while ago into to fix a number of issues and add a number of features (https://gitlab.com/gitlab-org/ruby/gems/gitlab-omniauth-openid-connect/-/merge_requests?scope=all&state=merged).

Since then we've upstreamed all the changes into the omniauth_openid_connect (https://github.com/omniauth/omniauth_openid_connect) repository. In addition, the upstream project has added PKCE support and has other contributors.

This commit locks the openid_connect gem to v1.3.0 since upgrading past that version pulls in an updated net-smtp, which cannot be used with Ruby 2.7 due to https://bugs.ruby-lang.org/issues/17761. See https://docs.gitlab.com/ee/development/emails.html#rationale for more details.

Relates to gitlab-org/ruby/gems/gitlab-omniauth-openid-connect#5 (closed)

How to set up and validate locally

  1. Check out gitlab-development-kit!2942 (merged) for GDK support of OIDC.
  2. Register an OAuth2 application (e.g. in Google): https://docs.gitlab.com/ee/administration/auth/oidc.html. FYI, Google only allows real top-level domains or private IPs/hosts such as localhost.
  3. Enter in the OAuth2 client ID and secret in client_options.identifier and client_options.secret.
  4. Log into your account, enter -/profile/account.
  5. Click on Connect OpenID Connect.
  6. Authenticate with Google.
  7. Sign out and log back in with OpenID Connect.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Stan Hu

Merge request reports