•  
      epic #14432 Tuleap OAuth2 Provider
    Summary
    Tuleap OAuth2 Provider
    Empty

    Overview

    OAuth2 is the permission delegation protocol ubiquitous in the web world. Tuleap already interact with OAuth2 ATM but only as a consumer with the "OpenID Connect Client" plugin.

    The goal of this epic is to make the reverse operation: Tuleap would become OAuth2 provider and, in on top of that, OpenID Connect provider to manage delegation of user identification in addition of permission delegation.

    To better understand OAuth2 and OpenID Connect you can have a look at this Illustrated Guide to OAuth and OpenID Connect

    Way of working

    The current integration of OAuth2 is proposed to be at project level (by project administrators). They will be able to create new "OAuth Apps", that is to say a new delegation authorisation for given 3rd party app (eg. Jenkins) with a given set of scopes (permissions).

    In a future version of the feature, we could extend that at User or Site level.

    As a project admin

    • In project administration, there is a new tab "OAuth Apps"
    • I can see all apps already setup and I can create a new one
    • When I create a new one, I should provide the standard OAuth2 info (callbacks) + required scopes
    • At creation the client secret is displayed only once and will never appear again (like API tokens)
    • An OAuth App can be deleted too
      • Upon deletion there is a confirmation modale to warn admin that people using this integration will no longer be able to do it.

    Once the cliente ID & secret generated by Tuleap, the project admin can configure any OAuth2 compatible app.

    As a end-user of the 3rd party app

    • When I go on the 3rd party app, at first connexion, I will be redirected on Tuleap to grant authorization
      • Note: if I'm not already logged in, Tuleap authenticate me first (regular auth scheme applies)
    • Tuleap shows me a screen with the list of permissions requested by the 3rd party app and I can approve or deny
    • Whether I approve or deny, I'm redirected toward the 3rd party app and the end of the flow is managed by it.

    As a end-user, on Tuleap

    • When I go in my user settings, I have the list of the OAuth2 grants I already given (with their scopes) and I can revoke them at anytime.

    Everything else is managed behind the scene by the implementation of OAuth2 protocol + OpenID Connect layer for auth.

    Progress
    Empty
    Empty
    Closed
    Details
    #14432
    Manuel Vacelet (vaceletm)
    2020-09-24 16:17
    2020-01-23 10:39
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2020-04-23 10:37
    Hello,

    There is no specific limitations but it needs a contribution to https://gerrit-review.googlesource.com/admin/repos/plugins%2Foauth to add support for Tuleap and the migration of repositories from Tuleap to Gerrit with the set of permissions will not work. At least not in an expected way since it needs to share the same user information through an LDAP directory.

    Tuleap implements the OIDC specification so any relying party supporting it can use it.
    User avatar
    Nouha Terzi (terzino)2020-04-23 10:25
    Hello team,

    do you think we can give a try with gerrit ? do you see any constraints?

    regards,
    Nouha
    User avatar
    • Description
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    • Description
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes
    User avatar
    • Description
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes