feat: Adds PKCE authentication for GitLab closes #5236 (#5239)

This commit is contained in:
Eric Krebs
2021-04-14 03:50:53 -05:00
committed by GitHub
parent 2a06244f77
commit 829409e0bc
7 changed files with 206 additions and 31 deletions

View File

@ -3,7 +3,7 @@ group: Accounts
weight: 60
title: External OAuth Clients
---
If you would like to facilitate your own OAuth authentication rather than use Netlify's service or implicit grant, you can use one of the community-maintained projects below. Feel free to hit the "Edit this page" button if you'd like to add yours!
If you would like to facilitate your own OAuth authentication rather than use Netlify's service or a client side flow like implicit or PKCE, you can use one of the community-maintained projects below. Feel free to hit the "Edit this page" button if you'd like to add yours!
| Author | Supported Git hosts | Language(s)/Platform(s) | Link |
| ------------------------------------------------------------ | --------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |

View File

@ -7,10 +7,11 @@ For repositories stored on GitLab, the `gitlab` backend allows CMS users to log
**Note:** GitLab default branch is protected by default, thus typically requires `maintainer` permissions in order for users to have push access.
The GitLab API allows for two types of OAuth2 flows:
The GitLab API allows for three types of OAuth2 flows:
* [Authorization Code Flow](https://docs.gitlab.com/ce/api/oauth2.html#authorization-code-flow), which works much like the GitHub OAuth flow described above.
* [Implicit Grant Flow](https://docs.gitlab.com/ce/api/oauth2.html#implicit-grant-flow), which operates *without* the need for an authentication server.
* [Authorization Code with PKCE Flow](https://docs.gitlab.com/ce/api/oauth2.html#authorization-code-with-proof-key-for-code-exchange-pkce), which operates *without* the need for an authentication server.
* (DEPRECATED [Implicit Grant Flow](https://docs.gitlab.com/ce/api/oauth2.html#implicit-grant-flow), which operates *without* the need for an authentication server.
## Authorization Code Flow with Netlify
@ -28,7 +29,36 @@ backend:
repo: owner-name/repo-name # Path to your GitLab repository
```
## Client-Side Implicit Grant (GitLab)
## Client-Side PKCE Authorization
With GitLab's PKCE authorization, users can authenticate with GitLab directly from the client. To do this:
1. Follow the [GitLab docs](https://docs.gitlab.com/ee/integration/oauth_provider.html#adding-an-application-through-the-profile) to add your Netlify CMS instance as an OAuth application and uncheck the **Confidential** checkbox. For the **Redirect URI**, enter the address where you access Netlify CMS, for example, `https://www.mysite.com/admin/`. For scope, select `api`.
2. GitLab gives you an **Application ID**. Copy this ID and enter it in your Netlify CMS `config.yml` file, along with the following settings:
```yaml
backend:
name: gitlab
repo: owner-name/repo-name # Path to your GitLab repository
auth_type: pkce # Required for pkce
app_id: your-app-id # Application ID from your GitLab settings
```
You can also use PKCE Authorization with a self-hosted GitLab instance. This requires adding `api_root`, `base_url`, and `auth_endpoint` fields:
```yaml
backend:
name: gitlab
repo: owner-name/repo-name # Path to your GitLab repository
auth_type: pkce # Required for pkce
app_id: your-app-id # Application ID from your GitLab settings
api_root: https://my-hosted-gitlab-instance.com/api/v4
base_url: https://my-hosted-gitlab-instance.com
auth_endpoint: oauth/authorize
```
## (DEPRECATED) Client-Side Implicit Grant
**Note:** This method is not recommended and will be deprecated both [by GitLab](https://gitlab.com/gitlab-org/gitlab/-/issues/288516) and [in the OAuth 2.1 specification](https://oauth.net/2.1/) in the future.
@ -58,4 +88,4 @@ With GitLab's Implicit Grant, users can authenticate with GitLab directly from t
auth_endpoint: oauth/authorize
```
**Note:** In both cases, GitLab also provides you with a client secret. You should *never* store this in your repo or reveal it in the client.
**Note:** In all cases, GitLab also provides you with a client secret. You should *never* store this in your repo or reveal it in the client.