Resolve "Integrate FortiToken Cloud to GitLab 2FA options"

Merged Manoj M J requested to merge 212313-integrate-forticloud-token-to-gitlab-2fa-options into master

What does this MR do?

This MR adds FortiToken Cloud (which is the Saas Version of FortiAuthenticator) as an OTP Provider for 2FA in GitLab.

This is very similar to FortiAuthenticator, which is already added as an OTP method via !45055 (merged).

This is behind a feature flag (forti_token_cloud) and is disabled by default.

The API guide is available at: https://drive.google.com/file/d/12kTIYFIQSqDq3D9ERkqRloUtjdEcFDEP/view

Steps involved in the process are:

  1. Create a new app in FortiToken Cloud, get its client_id and client_secret.
  2. Configure these keys in GitLab
  3. Enable feature flag for the user.
  4. User tries to login and is asked for OTP.
  5. User enters OTP.
    • The FortiTokenCloud service communicates with the API, using the client_id and client_secret we supplied
    • If the API call is successful, it creates a new access_token.
    • With this newly generated access token, it hits the /auth endpoint, with the OTP the user input in step 4 and their username.
    • If the auth API returns 200, it means the OTP is valid for the user and hence the user can login.
    • If the response is not 200, it means the OTP is invalid & the login is prohibited.
    • Login is also prohibited if the access token cannot be created successfully.

TODO: Add forti_token_cloud config to omnibus, similar to omnibus-gitlab!4645 (merged) (This is currently in draft: omnibus-gitlab!4824 (merged))

Screenshots (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Related to #212313 (closed)

Edited by Manoj M J