Skip to content

Geo: Allow OAuth login to a secondary node at an alternate URL

Michael Kozono requested to merge mk/alternate-geo-node-oauth-urls into master

What does this MR do?

Background

Logging into a Geo secondary requires OAuth authentication with the Geo primary. This works fine when you're browsing the secondary at its external_url.

Problem

But say for example you put 2 Geo secondaries (with different external URLs, by nature, since each Geo node is basically an independent GitLab installation) behind a load balancer.

When you visit the load balancer URL at a path that needs you to be logged in, you go into the OAuth flow. You get redirected to the primary, passing along the callback URL you want to be redirected back to (which has the load balancer domain). But the primary doesn't allow redirects to a URL it doesn't know, so you can't do that currently.

Solution

Let admins add this load balancer URL so the primary knows it's safe to redirect you back there. Authentication continues, and you are able to log in at the load balancer URL.

Follow up

There's more work to do to make everything work well, but this issue and MR limits scope to unblocking authentication.

Screenshots

Desktop Mobile
Node Edit image image
Node Details image image

What are the relevant issue numbers?

Resolves https://gitlab.com/gitlab-org/gitlab-ee/issues/9142

Does this MR meet the acceptance criteria?

Edited by Nick Thomas

Merge request reports