Step-up auth: Group protection (frontend flow and components) [3/4]
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.
What does this MR do and why?
This MR adds the user interface components and authentication helper updates for namespace-level step-up authentication. It provides the UI flow for prompting users to complete step-up authentication when accessing protected group resources.
This is part 3 of a 4-part feature split that introduces step-up authentication for namespace (group) scope. The implementation includes:
-
Auth Helper Enhancement: Updates
AuthHelper#step_up_auth_paramsto support namespace scope alongside the existing admin_mode scope, with independent feature flag checking -
Step-Up Auth Controller: New
Groups::StepUpAuthsControllerthat handles the step-up authentication UI flow, including redirect management and authentication status checks - Step-Up Auth View: User-facing page that explains the step-up authentication requirement and provides OAuth provider authentication buttons
-
Route Configuration: Adds the
/groups/:group_id/-/step_up_auths/newendpoint for the step-up authentication flow - Internationalization: Adds user-friendly i18n strings for the step-up authentication UI
-
Enforcement Concern: Introduces
EnforcesNamespaceStepUpAuthenticationconcern that provides reusable step-up authentication enforcement logic for group controllers, making integration straightforward for the final MR
Important: This MR adds UI components and enforcement logic (without the final integration). The UI is accessible via direct navigation but won't be automatically triggered until MR 4 adds the protection integration and enforcement.
Feature Flag: Protected by omniauth_step_up_auth_for_namespace (namespace scope) - independent from the existing omniauth_step_up_auth_for_admin_mode flag.
Safety: The changes are additive and isolated:
- New controller and view with no side effects on existing functionality
- Auth helper changes use feature flag gating and maintain backward compatibility
- No changes to existing authentication flows (yet)
- Enforcement concern is ready for integration but not yet applied to controllers
References
- Related issue: #556943 (Phase 3: UI Components & Auth Helper)
- Previous MR (Part 2 - OIDC backend): Step-up auth: Group protection (OIDC backend su... (!204102 - merged)
- Final MR (Part 4 - enforcement logic): Draft: Step-up auth: Group protection (enforcem... (!199800)
Screenshots or screen recordings
| Before | After |
|---|---|
| N/A - New feature | Step-up auth prompt page with OAuth provider button 
|
How to set up and validate locally
Part 1: Prepare your local GitLab gdk instance
Follow the steps described here
Part 2: Test the step-up auth UI
- Navigate to the group settings page: http://gdk.local:3000/groups/flightjs/-/edit#js-permissions-settings
- Go to the section "Step-up auth" and select the provider "[OIDC] Keycloak" => Now you have enabled step-up auth protection for the group
flightjs. - Navigate to group's step-up auth page: http://localhost:3000/groups/flightjs/-/step_up_auths/new =>
🗒️ Note: This is the page that will be shown when the user is not step-up auth protected. You should now see the available options for performing thestep_up_authentication, i.e. just the provider "[OIDC] Keycloak". Given that this MR does not enforce step-up auth protection just yet, we need to go to the page manually. - Verify the step-up authentication prompt page displays with:
- Clear messaging about the authentication requirement
- OAuth provider authentication button(s)
- Proper i18n strings
- Click the OAuth provider button and complete authentication
- Verify successful redirect back to the group page with success notice
Part 3: Test normal behavior because step-up is not enforced yet
Given that this MR does not contain any enforcement logic regarding step-up authentication, it should still be possible to access all routes related to the group flightjs without any restriction even though the required step-up auth provider has been set in "Part 2: Test the step-up auth UI".
So, move around on the pages of the flightjs group and all pages should be accessible.
Part 4: Run automated tests test
# Test auth helper
bundle exec rspec spec/helpers/auth_helper_spec.rb:790
# Test controller (note: requires Vite assets, may need asset build)
bundle exec rspec spec/requests/groups/step_up_auths_controller_spec.rbMR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
MR Checklist (@gerardo-navarro)
-
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the style guides -
Conforms to the javascript style guides -
Conforms to the database guides -
Conforms to the merge request performance guidelines -
UI changes follow GitLab Design System patterns and accessibility guidelines -
Feature flag omniauth_step_up_auth_for_namespaceproperly gates all namespace-scoped functionality -
Auth helper maintains backward compatibility with existing :admin_modescope -
Internationalization strings are clear, consistent, and follow GitLab conventions -
Controller follows GitLab security best practices (authentication, authorization, redirect safety)