Creating my own Omniauth Provider, I'm not understanding some things correctly, I'm confused
423 views
Skip to first unread message
Luís Nabais
Apr 10, 2017, 5:53:38 AM4/10/17
to GitLab
Hello guys.
Before someone asks, due to some specific limitations at my job's networking, I need to try something with this complexity. I wish it could be simpler.
Basically, I have a Python script which authenticates users in our IMAP server. I need Omniauth provider to call it to authenticate, get return result (exit code) and let/refuse user login.
It doesn't get any user data, not even their emails (our emails can have multiple suffixes. Just user and password.
Right now I've done this:
- GitLab Container (using Docker, latest version, 17.04), using GitLab 9.0.4-ce.0.
- I get a button below regular login screen, to Login via Ourprovider
Before someone asks, due to some specific limitations at my job's networking, I need to try something with this complexity. I wish it could be simpler.
Basically, I have a Python script which authenticates users in our IMAP server. I need Omniauth provider to call it to authenticate, get return result (exit code) and let/refuse user login.
It doesn't get any user data, not even their emails (our emails can have multiple suffixes. Just user and password.
Right now I've done this:
- GitLab Container (using Docker, latest version, 17.04), using GitLab 9.0.4-ce.0.
- I get a button below regular login screen, to Login via Ourprovider
- I get the form with user, password and login button (I get to the request phase correctly)
- If I enter data and press Login, it goes to callback, where I have the user and password
And there's where I cannot understand corretly the issue.
I'm trying to just develop a fake temporary solution, in which I just return something like Tru/False, just for checking if user logged in correctly or not and allow login.
User already exists and I can login normally through the normal GitLab process.
I can't understand next phase.
Do I need to return something like True/False?
Do I need to use token for anything? If yes, how can I access it?
How do I say user can login?
How do I say to GitLab user can't login?
I "configured" this:
- Added this configuration to /etc/gitlab/gitlab.rb
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_providers'] = [
{
"name" => "Ourprovider",
"secret" => "our_secret",
"url" => "https://www.justsomeurl_still_not_used_and_dont_know_whats_it_for.com",
"args" => { "user_admin" => "just_some_user_which_exists_for_this_not_to_be_empty" }
}
]
- Added provider to omniauth.rb (/opt/gitlab/embedded/service/gitlab-rails/config/initializers/omniauth.rb)
- Added script provider in /opt/gitlab/embedded/service/gitlab-rails/lib/omniauth/strategies/ourprovider.rb
As you can see, I only have some text being written to a file in the methods. I'm trying to understand the way it works. After I understand how to allow/refuse login, I'll try to really authenticate users against our IMAP server.
I'm very confused, at this point...
Can anybody help me understanding this?
Thanks a lot for all your help!
Cheers.
Best regards,
Luis Nabais
- If I enter data and press Login, it goes to callback, where I have the user and password
And there's where I cannot understand corretly the issue.
I'm trying to just develop a fake temporary solution, in which I just return something like Tru/False, just for checking if user logged in correctly or not and allow login.
User already exists and I can login normally through the normal GitLab process.
I can't understand next phase.
Do I need to return something like True/False?
Do I need to use token for anything? If yes, how can I access it?
How do I say user can login?
How do I say to GitLab user can't login?
I "configured" this:
- Added this configuration to /etc/gitlab/gitlab.rb
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_providers'] = [
{
"name" => "Ourprovider",
"secret" => "our_secret",
"url" => "https://www.justsomeurl_still_not_used_and_dont_know_whats_it_for.com",
"args" => { "user_admin" => "just_some_user_which_exists_for_this_not_to_be_empty" }
}
]
- Added provider to omniauth.rb (/opt/gitlab/embedded/service/gitlab-rails/config/initializers/omniauth.rb)
module OmniAuth
module Strategies
autoload :Bitbucket, Rails.root.join('lib', 'omniauth', 'strategies', 'bitbucket') - already there, not needed for us
autoload :Ourprovider, Rails.root.join('lib', 'omniauth', 'strategies', 'ourprovider') - added this line
end
end
Rails.application.config.middleware.use OmniAuth::Builder do
provider :ourprovider
end
- Added script provider in /opt/gitlab/embedded/service/gitlab-rails/lib/omniauth/strategies/ourprovider.rb
module OmniAuth
module Strategies
class Ourprovider
include OmniAuth::Strategy
attr_reader :token
option :title, "IMAP Authentication"
option :fields, [:name, :email]
option :uid_field, [:name, :email]
def request_phase
File.open('/tmp/omniauth', 'a') { |file| file.write("request_phase (test)\n") }
OmniAuth::Form.build(
:title => "IMAP Authentication",
:url => callback_path
) do |f|
f.text_field 'Username', 'username'
f.password_field 'Password', 'password'
f.button "Login"
end.to_response
end
def callback_phase
File.open('/tmp/omniauth', 'a') { |file| file.write("callback_phase\n") }
#File.open('/tmp/omniauth', 'a') { |file| file.write("request: " + request.params.to_s + "\n") }
#File.open('/tmp/omniauth', 'a') { |file| file.write("username: " + request['username'].to_s + "\n") }
end
uid do
File.open('/tmp/omniauth', 'a') { |file| file.write("uid\n") }
end
info do
File.open('/tmp/omniauth', 'a') { |file| file.write("info\n") }
{
:nickname => request['username'],
}
end
end
end
end
As you can see, I only have some text being written to a file in the methods. I'm trying to understand the way it works. After I understand how to allow/refuse login, I'll try to really authenticate users against our IMAP server.
I'm very confused, at this point...
Can anybody help me understanding this?
Thanks a lot for all your help!
Cheers.
Best regards,
Luis Nabais
Aleksey Tsalolikhin
Apr 10, 2017, 7:18:29 AM4/10/17
to gitl...@googlegroups.com
Hello Luis,
Good luck! The GitLab documentation on OmniAuth examples at https://docs.gitlab.com/ce/integration/omniauth.html#examples states:
If you have successfully set up a provider that is not shipped with GitLab itself, please let us know.
You can help others by reporting successful configurations and probably share a few insights or provide warnings for common errors or pitfalls by sharing your experience in the public Wiki.
The public Wiki has been deprecated (and all content removed), but if you git clone it from https://github.com/gitlabhq/gitlab-public-wiki.wiki.git and then check out commit 02db843614a1642c7101c721874d89b64a63d936 you can look at Custom-omniauth-provider-configurations.md
Sounds like you're blazing a trail here. Good luck!
Best,
Aleksey
--
Need training on Git or GitLab? Email trai...@verticalsysadmin.com.
--
You received this message because you are subscribed to the Google Groups "GitLab" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gitlabhq+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gitlabhq/d130da93-4df7-4a4a-832a-bca1965c08fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
ᐧ
ᐧReply all
Reply to author
Forward
0 new messages