Gitlab oauth support #305
Gitlab oauth support #305
Conversation
|
Wow, that's mighty! thanks a lot! Just a couple of questions before I start digging into the code: 1
do you think it's GitLab specific? Or it can be re-used for all authentications? 2
does it have default value? I think it would be ok to save it to 3Do you store user information anywhere, to perform additional requests (for |
both implemented only for gitlab auth at this moment
nope, if
Well, for sure it's stored in memory Also I think to implement special type of authentication without group support, in this case I can ask read_user scope from gitlab, it's read only, so user api token can be used only for reading some information. I will think how to hide data in dump file. May be to encrypt it with key passed via ENV. But this problem is wider... for example, how to stop accessing logs because user can remove logs with script. |
|
Added information about |
|
Thanks for your answers!
no, not really. My question was about reusing it for all authentication :) If it would be easily achieved in future
If an attacker has access to the server, he can access the key as well. So I don't think it would be much more secure.
I think if the server is compromised, there is not much you can do about server data itself. But if you dump user credentials (or gitlab user token), then the attacker would be able to access GitLab as well. What kind of user data/credentials do you store in the moment? By the way, did you consider storing it in user secured cookies? PS sorry if these questions sound as critique (or request for changes), it's definitely not intended this way. I'd like to discuss and understand the chosen approach. And we can try to find all potential flaws and benefits, so Script server usage will be secure (first) and convenient. |
Only OAuth2 token but with API scope, so it's a lot. There is
well, it's possible, can do it
I am thinking about "script wrapper" for run script with sudo or in docker container. It can help to restrict access to script server files. |
…rmation + group_support on/off, is off - read_user scope used
|
Gitlab oauth key now stored in secure cookie. For better safety now it's possible to auth with |
dump -> state_dump_file, ttl -> auth_info_ttl, session_expire_min -> session_expire_minutes
|
Hi @miksir, I checked the PR. At the moment there is a lot of duplication between Google oauth and GitLab oauth. What do you think about extracting common part to some generic OauthAuthenticator? And then let google and GitLab implementations implement only the part, which is different? I think it would be fine if you move your new logic (with logout, dump, ttl, etc.) to this common class as well, so it will be used by google authenticator also. |
|
Both is OAuth, but lot of small difference. logout, dump, ttl needs only because user validity recheck implemented, but in Google OAuth not. I see what you want but it's require massive refactoring of Authenticator :( |
But all of those can be used for google as well, cannot they? The only difference is how you parse the response. For Gitlab you check the state (and probably groups), but for google you just get email field. |
|
Hi @miksir should I try to help you with the refactoring? I should have time on Thursday, I think. |
|
I pushed some changes. Please, check unresolved with my answers - do you need more info? I will try to refactor unit tests today. If you want to refactor google oauth too - yes, I need you help because I has other priority tasks from users. |
…rmation + group_support on/off, is off - read_user scope used
dump -> state_dump_file, ttl -> auth_info_ttl, session_expire_min -> session_expire_minutes
|
Hi @miksir, I'm working on the refactoring, hope to finish until end of the day |
|
Nop, no changes planned. But I rebased branch (no changes, just rebase), so rebease too :) |
|
Hi @miksir I did common behaviour extraction to a separate class. Unfortunately, I couldn't test Gitlab auth, so if you could check (and probably fix it), it would be cool. I'll still work on unit tests I also changed current behaviour a bit:
I think I went to deep and probably you won't recognize your code anymore 😅 But what do you think about the new flow? |
Sorry, I am confused :) Dump and storing user state was the same :) It was dump of users state. |
|
I meant state['state'] :) Like 'active', 'error', etc. |
|
I C. Great work. It's look like you can refactor ldap auth too :) |
|
Ye, it would be nice... But i think it's too much for now :)
One question: for session expiry you chose minutes, do you have a real case
for it? Usually it's days. I would think that hours would be more than
enough
And in this case, it would be way easier to implement it, by setting expiry
time for the username cookie
miksir <[email protected]> schrieb am Fr., 12. Juni 2020, 23:03:
… I C. Great work. It's look like you can refactor ldap auth too :)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#305 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJXPJPH3JFQFHRNMG7RGVLRWKJZDANCNFSM4NSUU22A>
.
|
Well, may be someone want 30 min session. So just got minimal usable. But, imho, best way is to use human readable form. Like 30m or 1h30m |
|
Hi @miksir I'm done with the refactoring. Let's keep the session behaviour as per your implementation for now: I realized, that using cookie expire time would have different behaviour: the time wouldn't be reset on user actions and would just measure time after login. If gitlab auth is still working for you, and you are fine with my changes, we can merge the PR |
|
Will check today. But i think you can register on gitlab.com and add application here https://gitlab.com/profile/applications for test |
|
Alright, I finally tested it and it seems to work :) |
Support of gitlab authentication
https://github.com/miksir/script-server/wiki/Authentication#gitlab-oauth