Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      epic #14432 Tuleap OAuth2 Provider
    Actions
    Summary
    Tuleap OAuth2 Provider
    Empty

    Overview

    OAuth2 is the permission delegation protocol ubiquitous in the web world. Tuleap already interact with OAuth2 ATM but only as a consumer with the "OpenID Connect Client" plugin.

    The goal of this epic is to make the reverse operation: Tuleap would become OAuth2 provider and, in on top of that, OpenID Connect provider to manage delegation of user identification in addition of permission delegation.

    To better understand OAuth2 and OpenID Connect you can have a look at this Illustrated Guide to OAuth and OpenID Connect

    Way of working

    The current integration of OAuth2 is proposed to be at project level (by project administrators). They will be able to create new "OAuth Apps", that is to say a new delegation authorisation for given 3rd party app (eg. Jenkins) with a given set of scopes (permissions).

    In a future version of the feature, we could extend that at User or Site level.

    As a project admin

    • In project administration, there is a new tab "OAuth Apps"
    • I can see all apps already setup and I can create a new one
    • When I create a new one, I should provide the standard OAuth2 info (callbacks) + required scopes
    • At creation the client secret is displayed only once and will never appear again (like API tokens)
    • An OAuth App can be deleted too
      • Upon deletion there is a confirmation modale to warn admin that people using this integration will no longer be able to do it.

    Once the cliente ID & secret generated by Tuleap, the project admin can configure any OAuth2 compatible app.

    As a end-user of the 3rd party app

    • When I go on the 3rd party app, at first connexion, I will be redirected on Tuleap to grant authorization
      • Note: if I'm not already logged in, Tuleap authenticate me first (regular auth scheme applies)
    • Tuleap shows me a screen with the list of permissions requested by the 3rd party app and I can approve or deny
    • Whether I approve or deny, I'm redirected toward the 3rd party app and the end of the flow is managed by it.

    As a end-user, on Tuleap

    • When I go in my user settings, I have the list of the OAuth2 grants I already given (with their scopes) and I can revoke them at anytime.

    Everything else is managed behind the scene by the implementation of OAuth2 protocol + OpenID Connect layer for auth.

    Nouha Terzi (terzino)
    Artifact links

    User stories

    Child

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    story #14552 Tuleap User stories User preferences goes Burning Parrot Done 2020-27-03 11:24 Manuel Vacelet (vaceletm)
    story #14541 Tuleap User stories have OAuth2 project admin Done 2020-27-03 11:24 Manuel Vacelet (vaceletm)
    story #14542 Tuleap User stories have OAuth2 flow Done 2020-27-03 15:33 Manuel Vacelet (vaceletm)
    story #14543 Tuleap User stories have OAuth2 user settings Done 2020-27-03 11:24 Manuel Vacelet (vaceletm)
    story #14570 Tuleap User stories Authorization grant confirmation page Done 2020-27-03 11:24 Joris MASSON (jmasson)
    story #14668 Tuleap User stories Finalize user preferences goes Burning Parrot Done 2020-03-04 10:53 Benjamin Dauton (bdauton_enalean)
    story #14714 Tuleap User stories be an OpenID Connect provider Done 2020-30-04 14:10 Thomas Gerbet (tgerbet)
    story #14811 Tuleap User stories Edit OAuth2 App Done 2020-30-04 14:09 Joris MASSON (jmasson)
    story #17106 Tuleap User stories have OAuth2 apps at Site Level Done 2020-02-10 17:12 Thomas Gerbet (tgerbet)
    Progress
    Empty
    Empty
    Closed
    Details
    #14432
    Manuel Vacelet (vaceletm)
    2020-09-24 16:17
    2020-01-23 10:39
    Attachments
    Empty
    References
    Referencing epic #14432

    Artifact Tracker v5

    story #14018 have a central management of users and groups using oauth

    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2020-04-23 10:37
    Hello,

    There is no specific limitations but it needs a contribution to https://gerrit-review.googlesource.com/admin/repos/plugins%2Foauth to add support for Tuleap and the migration of repositories from Tuleap to Gerrit with the set of permissions will not work. At least not in an expected way since it needs to share the same user information through an LDAP directory.

    Tuleap implements the OIDC specification so any relying party supporting it can use it.
    User avatar
    Nouha Terzi (terzino)2020-04-23 10:25
    Hello team,

    do you think we can give a try with gerrit ? do you see any constraints?

    regards,
    Nouha
    User avatar
    Manuel Vacelet (vaceletm)2020-02-06 16:36
    • Description
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Manuel Vacelet (vaceletm)2020-02-06 16:35
    • Description
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    Manuel Vacelet (vaceletm)2020-02-06 16:19
    • Description
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes