Step-up auth: Group protection (Model and UI settings) [PART 1/4]

• Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.

What does this MR do and why?

Step-up auth: Model and UI settings for group-based step-up auth

In a previous MR, we introduced step-up authentication for the admin mode, see !171643 (merged).

Now, we want to extend this functionality to namespaces (groups) in GitLab, see #556943. The implementation plan for this feature includes several key changes that will be implemented in several MRs. Future MRs will implement the enforcement logic and inheritance logic (considering settings from parent groups).

This MR adds foundational database and UI support for step-up authentication at the namespace level:

• Add step_up_auth_required_oauth_provider column to namespace_settings with validation against enabled OAuth providers
• Extend group settings UI with step-up authentication configuration section including inheritance indicators
• Implement feature flag protection for gradual rollout

Feature Flag: omniauth_step_up_auth_for_namespace (disabled by default)

Changelog: added

🛠️ with ❤️ at Siemens

References

• Step-up authentication for admin mode: Step-up auth: Add omniauth step-up auth for adm... (!171643 - merged)
• Issue related group-based step-up authentication: Step-up auth: Group-based OIDC Step-up Authenti... (#556943)
• Implemenation plan for the issue outlining the changes in this MR

Screenshots or screen recordings

This MR offers the possibility to enable step-up authentication for a group by selecting omniauth provider (that contains the step-up auth configuration).

Before	After

How to set up and validate locally

Part 1: Prepare your local GitLab gdk instance

1. In your local gdk instance, add the following omniauth configuation to the config/gitlab.yml, see collapsed section below
2. Enable the feature flag :omniauth_step_up_auth_for_namespace via the rails console

   Feature.enable(:omniauth_step_up_auth_for_namespace)

3. Create a simple GitLab group that we want to protect with step-up auth.

Click to expand the `config/gitlab.yml`

development:
  <<: *base
  omniauth:
    allow_bypass_two_factor:  ["openid_connect"]
    allow_single_sign_on: ["openid_connect"]
    auto_link_ldap_user: null
    auto_link_saml_user: null
    auto_link_user: ["openid_connect"]
    auto_sign_in_with_provider: 
    block_auto_created_users: false
    external_providers: []

    providers:
    - { name: "openid_connect",
        label: "[OIDC] Keycloak",
        args: {
          name: "openid_connect",
          # strategy_class: "OmniAuth::Strategies::OpenIDConnect",
          scope: ["openid", "profile", "email"],
          response_type: "code",
          issuer: "http://localhost:8080/realms/step-up-auth-gitlab-realm",
          client_auth_method: "query",
          discovery: false,
          uid_field: "preferred_username",
          pkce: true,
          allow_authorize_params: ["claims"],
          client_options: {
            host: "localhost",
            scheme: "http",
            port: "8080",
            identifier: "step-up-auth-gitlab-client",
            secret: "C6S2b1ZkifZa6BI8Jy5K3lz2Eglb4JuQ",
            redirect_uri: "http://gdk.test:3000/users/auth/openid_connect/callback",
            authorization_endpoint: "/realms/step-up-auth-gitlab-realm/protocol/openid-connect/auth",
            token_endpoint: "/realms/step-up-auth-gitlab-realm/protocol/openid-connect/token",
            userinfo_endpoint: "/realms/step-up-auth-gitlab-realm/protocol/openid-connect/userinfo",
            jwks_uri: "http://localhost:8080/realms/step-up-auth-gitlab-realm/protocol/openid-connect/certs",
            end_session_endpoint: "/realms/step-up-auth-gitlab-realm/protocol/openid-connect/logout"
          }
        },
        step_up_auth: {
          namespace: {
            id_token: {
              required: {
                acr: 'gold' 
              }
            },
            params: {
              claims: { 
                id_token: { 
                  acr: { 
                    essential: true, 
                    values: ['gold'] 
                  } 
                } 
              }
            }
          },          
        }
      }

Part 2: Test the step-up auth for group

1. Sign in to your GitLab instance: http://gdk.test:3000/users/sign_in
2. Go to the settings page of the test group
3. Go to the section Permissions => Step-up authentication
4. Play around with the dropdown and press Save

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

MR Checklist (@gerardo-navarro)

• Changelog entry added, if necessary
• Documentation created/updated via this MR => we will do this in a follow-up MR
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Tested in all supported browsers
• Conforms to the code review guidelines
• Conforms to the style guides
• Conforms to the javascript style guides
• Conforms to the database guides
• Conforms to the merge request performance guidelines

Related to #556943