Update GitLab IDP to support OIDC

[enj]

Update GitLab IDP to support OIDC

This change updates the GitLab IDP integration to support OpenID
Connect (while retaining support for OAuth2). This has the benefit
of using a standard that was meant for authentication. In a future
release this will allow us to remove the GitLab specific code from
our integration. The GitLab OIDC provider reuses the standard OIDC
code with a GitLab specific configuration. This change is fully
backwards compatible as the identity/user objects are unchanged.

It is not possible to detect if OIDC or OAuth2 should be used when
GitLab is configured. Thus the configuration of the IDP has a new
field called legacy which determines if OAuth2 or OIDC should be
used. If true, OAuth2 is used and if false, OIDC is used. If the
value is unspecified and the URL's host is gitlab.com, OIDC is used.
Otherwise, OAuth2 is used. In a future release, unspecified will
default to using OIDC. Eventually this flag will be removed and
only OIDC will be used. To safely use OIDC, a very recent version
of GitLab is required: version 11.1.0 or later. Attempting to use
OIDC with an earlier version will fail at login time. No data
corruption will occur.

From the perspective of the end user, nothing changes. A positive
side effect of using OIDC is that it allows us to use the openid
scope instead of the api scope. This means that OpenShift only gets
limited read access to perform authentication instead of full read
and write access to the user's GitLab account. The user may have to
reauthenticate OpenShift's OAuth client on first login.

In the future OIDC will make it easy to pull group membership
information from GitLab (the userinfo endpoint already include a
groups claim, we simply need to add code in OpenShift that uses it).

Trello: https://trello.com/c/DXntmEOV

Signed-off-by: Monis Khan [email protected]

Fixes #19937
Fixes #17954

Supersedes #19961

/assign @simo5 @liggitt
@openshift/sig-security

[enj]

/hold

• Needs to wait until at least 3.11
• Update commit strings to match new GitLab OIDC docs
• Need https://gitlab.com/gitlab-org/gitlab-ce/issues/47791#note_81269161 to be fixed, see https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/19784 (update PR/commit with version of GitLab required)
• Update git commit message to reference legacy field (code no longer only does OIDC)
• Mo needs to test this against gitlab.com (hopefully it will be at 11.1.0+ soon)
• Need to decide deprecation policy around old versions of GitLab and work with @kalexand-rh to document
• Document new legacy field @kalexand-rh

[enj]

cc @alikhajeh1

[enj]

Need to update this string to match new docs once https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/19784/diffs merges.

[simo5]

I'd really like to retain a way to use the old cose, should an upgrade break with the openid code

[enj]

@simo5 so I was unable to make any sort of OIDC to OAuth2 fallback work (the OAuth scopes are different so it would require some crazy hack to try to make that work and I am pretty sure it is not possible in general). See what you think of the current approach of legacy *bool (could be changed to apiVersion string with the same semantics via v3, oidc and "").

Currently the OAuth2 code works and the OIDC codes errors (as expected):

E0628 12:12:10.415558    3629 errorpage.go:26] AuthenticationError: incompatible gitlab IDP, ID claim is SHA256 hex digest instead of digit, claims=map[sub:HASH aud:HASH exp:1.53020245e+09 iat:1.53020233e+09 auth_time:1.529809434e+09 iss:https://gitlab.com]

[simo5]

Only a nit, but I'll leave to you whether to change it or not
/lgtm

[simo5]

is there a good reason to prepend all these module variables with "gitlab" ?

[enj]

Matches the existing code and the other provider integrations.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enj, simo5

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/cmd/OWNERS [enj]
• pkg/oauthserver/OWNERS [enj,simo5]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

New changes are detected. LGTM label has been removed.

[enj]

Changes were just me updating the git commit message. Retagged. Confirmed API with Jordan offline. I will remove the hold on this once gitlab.com is upgraded to v11.1.0 which should happen within the next week.

[enj]

/retest

[enj]

/retest

[enj]

/hold cancel

OIDC code works with gitlab.com now!

[enj]

/retest

[enj]

/retest

[enj]

/retest

[enj]

/retest

[openshift-ci-robot]

@enj: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/gcp	58757d9	link	/test gcp

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.