Restrict the auth token scope and enforce group membership (!98) · Merge requests · infrastructure / qa-report-app

Emanuele Aina requested to merge wip/em/auth into master Mar 12, 2021

Apertis is in the process of opening GitLab registratio to the public: the assumption that all the GitLab users can be trusted is thus no longer valid.

Let administrators configure a set of groups: if the logging in user is a member of any of those let the login complete, otherwise fail and ignore the attempt.

Also switch to the openid scope and call the dedicated OAuth2 userinfo endpoint rather than requiring the broad scope needed to call the regular GitLabc API to get their username, see https://docs.gitlab.com/ee/integration/openid_connect_provider.html

Task: T7689 (T7786)

Edited Mar 12, 2021 by Emanuele Aina

Restrict the auth token scope and enforce group membership

Merge request reports