I know that it is possible to log into Gitlab with external providers such as Github.
However, I was wondering if Gitlab's oauth can be used to authenticate users to my application?
Is there an oauth endpoint that I can use?
It should be possible since the suggestion "Oauth system for third party application" seems completed with GitLab 7.7 (which is to be released)
It would be powerful to have an oauth authentication system with application management like Github.
If this feature appear on Gitlab, developers would be able to create many third party applications like Travis-CI or Scrutinizer who can Interact directly with a "Gitlab Connect" system, same as Github or Bitbucket.
We should manage authorization scope too (profile view / edit, group access, projects access etc...).
GitLab team (Admin, Gitlab) responded · Dec 22, 2014
Completed In GitLab 7.7
See the diff between GitLab 7.6 and 7.7 and:
commit ed932d8
commit f9ece12
February 2016 edit, complementary links:
GitLab as OAuth2 authentication service provider
GitLab as an OAuth2 client
Doorkeeper, what GitLab uses to implement OAuth
Note: with GitLab 13.11 (April 2021)
Register OAuth applications at the group level
Group owners can now register OAuth applications for a group.
Previously, OAuth applications could only be registered by individual users or at the instance level.
Making this functionality available at the group level reduces the administrative burden for instance administrators and removes the dependency on individual users for the configuration of OAuth applications.
Thanks to the amazing work from GitLab contributor Jonas Wälter from Siemens, this feature is now available in 13.11.
See Documentation and Issue.
No, it is not. Currently the only supported scope is api which gives the authentication client full access to everything in the user's name. See https://gitlab.com/gitlab-org/gitlab-ce/issues/22323 to track progress.
Related
I've set up some on-prem Docker-based DevOps agents using a Docker Swarm. However, these agents rely on a PAT to authenticate and connect with our on-prem DevOps 2019 - not a HUGE issue, but PATs have a max lifetime of a year, and I'd rather have this system working longer if possible (on-prem solutions tend to have a lifetime of their own after all).
I know DevOps has an API - alas attempting to find information on how to use it directs me to the DevOps Services (online) versions, which aren't going to work for me (they use things like AAD applications for authentication and that's clearly not going to work on-prem). Annoyingly trying to change the documentation to show what's valid for DevOps 2019 redirects back to documentation for DevOps Services.
Any idea how to generate a PAT using the API on an on-prem DevOps instance, preferably by authenticating via username + password? Or at least where can I find some documentation on this?
If you are trying to use PAT REST API, then you can find it in Azure documents which i am sharing here:
https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/manage-personal-access-tokens-via-api?view=azure-devops
Hope this will help you out.
I've got Artifactory set up to allow SSO via an OIDC client in Keycloak. Keycloak talks to Active Directory in the background. I've also got the same Active Directory configured within Artifactory. I've also configured Keycloak to provide user groups in the userinfo structure.
What I'm trying to do is to get OAuth users to automatically be added to the imported LDAP groups within Artifactory. I don't mind if this is done via the userinfo structure or via a separate LDAP lookup when a user logs in. However I can't seem to figure out how to achieve this.
I know that Artifactory provides a plugin called synchronizeLdapGroups.groovy, which seems to advertise doing what I need, however it seems like the plugin is not actually taking effect. That is to say, users do not end up with the permissions that being in the LDAP groups would provide.
I've attempted to write a plugin myself to do what I need, but when I make the API call to add the groups to the user, the plugin crashes. It's unclear why at this point.
It seems like others have used the SCIM feature in Artifactory for something akin to this (mostly via SAML rather than OIDC though), however Keycloak doesn't support SCIM out of the box and the SCIM plugin I've tried using has similarly given me no results.
Has anyone done something similar to this, and has a working solution I could follow?
If it's a specific group you want all users to be in you could try:
Under Security - OAuth SSO settings tab - check "Auto Create Users"
Under Identity and Access - Groups - select the specific group and check "Automatically Join New Users To The Group"
I'm guessing you want to automatically sync user-group association between Keycloak and Artifactory. SCIM is what you're looking for but there's a known issue specifically with Keycloak SCIM plugin.
We're looking into the SCIM plugin for Keycloak (can't commit on a specific timeline for a fix but it should be sometime this quarter).
If you only need the association in the UI you could try SAML with "Auto associate groups" set. It won't apply the groups association for APIKey/Token calls but it would work for the UI.
EDIT:
after further investigation github.com/Captain-P-Goldfish/scim-for-keycloak isn't relevant here - it makes keycloak a SCIM client, not a SCIM server. There's no official support of SCIM in keycloak, see issues.redhat.com/browse/KEYCLOAK-2537 . and there's no working plugin for keycloak that makes it a SCIM server that I could find (tried a few, all broken). For now Artifactory can't support SCIM with Keycloak
I'm trying to build an app that uses Jira Software Server data. On Jira Sass Oauth is simple enough, but after creating an SSL cert and configuring a localhost jira instance for development, I can't get any proper responses from my own server, for the older Oauth 1.0a flow, and all the documentation seems to reference https://jira.yourdomain.com. Is there some DNS that all self-hosted servers are routed through from Atlassian? I realize this self-hosted product is being slowly depreciated, but this new feature I want to provide for a client will require this connection since they are using this version of the software. Any insight would be useful since Atlassian Docs are so very outdated/not maintained.
No, Jira Software on premise does not route traffic through Atlassian cloud.
There are lots of offline Jira instances.
Here is some documentation about oauth with Jira Server/Datacenter:
https://confluence.atlassian.com/kb/oauth-troubleshooting-guide-719095274.html
Have you tried integrate Kong with Azure Active Directory Authentication in kong?
What about it?
I've found this documentation ... but I am not sure if LDAP can to be applied with Azure Active Directory.
LDAP Authentication
LDAP Authentication Advanced
At this moment I am looking for it, but I think that LDAP does not apply to Azure Active Directory ... doesn't it?
I think, that to use kong to control access via multi-factor authentication to resources or automate user provisioning between a Windows Server AD and our cloud apps or add SSO (allowing it to work with a user's pre-existing credentials) maybe could I to use kong-openID auth plugin or Kong OAuth 2.0 Introspection plugin in order to use Azure Active Directory like a third party Authorization Server?
My intention is how to protect the Swagger API backend using kong and Azure, and in this way
I've read somethings like this, but I don't find any relation of AAD itself with kong or some external API different to API Management instance service that they offer to their users
Could to be I wrong in my considerations here?
Is possible really work with kong authentication and authorization process and third party Auth servers like Azure Active Directory in my case?.
In this line, Could to be Kong OAuth 2.0 Introspection plugin a good alternative to follow?
How can I add a limited access account for jenkins automation when I'm using Global GitHub OAuth Settings?
I'm using GitHub OAth for login to jenkins and I have python jenkinsapi scripts that I want to run as a user with read only access. At present, all my users are github users.
I can create a github account without access to my repositories and then limit that accounts access to jenkins but this seems cumbersome.
Is there a way to use multiple security realms or to create local users?
It seems that when jenkins contains a local user, that the plugin uses this first (plugin-source)
If you look at Manage Jenkins->Configure Global Security, you can see that you can select only one security realm.
I would say, for Jenkins use create a github service account specifically that user can be restricted to just a few repositories. You can also look at matrix based security or project based matrix security if you want to restrict authorization further