Authorizing GitLab users based on group membership
cbjartli opened this issue · comments
The Github provider makes it possible to authorize users based on their group membership through the teamWhitelist, in addition to explicit whitelisting or allowAllUsers. As an organization that uses GitLab, we are looking for the same feature for GitLab, currently only supported as a general OIDC provider.
As far as I can see, that is not possible at this point? Is that correct? If not, we would be interested in providing a GitLab provider which also makes it possible to use the teamWhitelist, as long as that contribution would be welcomed.
I have actually implemented the above at https://github.com/cbjartli/vouch-proxy/tree/add-gitlab-provider. If this could be made acceptable as a contribution to the project, I'd be happy to submit a pull request.
@cbjartli that's fantastic to hear. Definitely an area of VP that can use some love. PR is certainly welcome.
FYI - I won't be in a position to look at this closely until the new year.
PR 523 is to extend team whitelist functionality for OIDC providers. An additional field 'Teamwhitelistclaim' is added in the vouch config. This will contain the claim key that will be used for teem whitelisting. Claim values for this key are checked against the values provided in the 'teamwhitelist'.
We have finished working on PR 523.
@ritmanda I'm going to close both #523 and #515 for now. Perhaps we'll re-open one of those. But before you write any more code or I review any more code I'd hope you'd be willing to propose a design and implementation here in this ticket. I hope that's okay.
could you please familiarize yourself with...
- README regarding submitting a PR
- comments in
cfg.goregarding adding new configuration items config/config.yml_example.defaults.yml
Generally, I'm more interested in a PR that is specific to gitlab and does not require additional configuration items to be added.
Thanks again for the contribution to VP.