Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Document GitLab's required scope if using allowed_gitlab_groups or not

See original GitHub issue

GitLabOAuthenticator is making some checks against GitLab’s REST API following a user has authenticated, in order to decide if the user is authorized. These requests against the GitLab REST API that follows authentication, are made with the access token that resulted from the authentication process.

This access token can get various degrees of permissions, which is influenced by the requested scopes, and will be seen by the user during the authentication phase. This issue is about these scopes, and that we need to request too powerful permissions through them, just because we maybe want to authorize the user because it belongs to a specific group in gitlab with certain status in this group.

Here are some of the scopes with GitLab specific meaning we can make use of.

AH! I notice now that we can make use of read_api instead of api which is just the way too powerful option! It would be great to reduce it even further to something like read_groups or similarly, but this is far much better than write. Okay!

Action points to close issue

Update documentation to clarify what scope is needed if we are using and if we are not using the allowed_gitlab_groups configuration, it will be different because only if we configure that do we end up needing to make certain REST API requests to GitLab (as seen here).

Issue Analytics

State:
Created 3 years ago
Comments:12 (6 by maintainers)

Top GitHub Comments

1reaction

CJCShadowsancommented, Oct 13, 2020

I’ve found it.

This:

auth:
  type: gitlab
  gitlab:
    clientId: "MySuperSecretClientID"
    clientSecret: "MySuperSecretClientSecret"
    callbackUrl: "https://myhubserver/hub/oauth_callback"
    gitlabHost: "https://gitlabserver/"
    gitlabApiUrl: "https://gitlabserver/api/v4/"
    scopes:
      - "read_api"
      - "read_user"
      - "openid"
      - "profile"
      - "email"

Should be THIS:

auth:
  type: gitlab
  gitlab:
    clientId: "MySuperSecretClientID"
    clientSecret: "MySuperSecretClientSecret"
    callbackUrl: "https://myhubserver/hub/oauth_callback"
    gitlabHost: "https://gitlabserver/"
    gitlabApiUrl: "https://gitlabserver/api/v4/"
  scopes:
    - "read_api"
    - "read_user"
    - "openid"
    - "profile"
    - "email"

Indentation means you don’t set it inside the auth type definition, you set it globally 🤦‍♂️

Not sure if this is documented specifically this way. I’ll double-check.

1reaction

CJCShadowsancommented, Oct 13, 2020

@CJCShadowsan I don’t aim to specifically help you atm, but to resolve this issue, but there can be overlap. With regards to solving this issue and finding out about sensible configuration, I’d like to ensure you are using the latest version of the oauthenticator, which means you should use the latest development version of the z2jh Helm chart. If you are using 0.9.0 or 0.9.1, please upgrade to the absolute latest version (0.9.0-n355.h9ca120bb) and post your entire auth section config from your config.yaml which you redact where needed for security.

Also, declare your GitLab’s version.

No problem, I was merely trying to keep it on-topic of gitlab, scope and documentation because if this is how it should work via Helm… Right now i’ve not seen it working yet so wanted to make sure the docs are right 😃

Let me double-check everything and get back to you!

Top Results From Across the Web

Permissions and roles - GitLab Docs

Action Guest Reporter Developer Maintainer Owner Analytics: View issue analytics ✓ ✓ ✓ ✓ ✓ Analytics: View merge request analytics ✓ ✓ ✓ ✓ ✓ Analytics:...

I am unable to create a gitlab integration with the ...

I have created a OAuth application in my running Gitlab instance and i ... to members of specific projects or groups: # allowedGitlabGroups: ......

Integrate a new GitLab source | GitGuardian documentation

Group hooks require the user to have Owner permissions on the GitLab groups to be monitored. Group hooks do not support the monitoring...

GitLab integration - Snyk User Docs

This article describes the permissions needed for direct integration (when Broker is not implemented). To integrate with GitLab, as a Snyk ...

Travis CI's use of GitLab API

Travis CI's use of GitLab API ... We use scoped OAuth tokens to integrate with GitLab. ... The additional repository scope is not...