OAuth on GitLab

How to configure OpenSquiggly to use OAuth authentication for GitLab.

About GitLab

GitLab is one of the Git hosting systems explicitly supported by OpenSquiggly. Once you’ve installed your OpenSquiggly instance, users can connect to their repositories on GitLab and bring them into their OpenSquiggly accounts.

Public repositories can always be brought into OpenSquiggly with no additional configuration work on the part of the OpenSquiggly instance administrator.

Private repositories can also be brought into OpenSquiggly using the user’s personal access token which they’ve manually created within the GitLab system. Use of personal access tokens does not require any additional configuration work on the part of the OpenSquiggly instance administrator.

Another way of connecting to private repositories is to use OAuth authentication. This is more convenient for the user because they do not need to manually create and maintain their personal access tokens.

In order for users to use OAuth authentication, the OpenSquiggly instance administrator must follow some additional steps to enable OAuth authentication. This section covers how to configure OAuth for GitLab.

Note that in the cloud-hosted shared OpenSquiggly portal, these steps are not necessary because we’ve already performed the setup and configured the cloud portal. However, the keys we use are private and cannot be shared with the public, as that would defeat the purpose of OAuth authentication. Each private OpenSquiggly instance must be configured to use it’s own private keys.

Configuring GitLab for OAuth

  1. Create an account and an organization on GitLab by visiting https://gitlab.com.

  2. Since we are assuming that you are creating an OpenSquiggly self-managed instance for a company, vs. a personal instance, you’ll want to create a “group” on GitLab and associate your personal account with the company’s GitLab group.

  3. Select the GitLab group for which you wish to create the OAuth application.

    • In the user options drop in the upper-left of the GitLab header bar, select “Groups” and then click the link to “View all groups”.
    • In the list of groups, click on the group for which you wish to create the OAuth application.

  4. In the sidebar, click on “Settings” and then in the flyout menu, pick “Applications”.

  5. Fill in the fields in the form under “Add new application”:

    • Name - You should fill in this field with information that let’s the user know what they are authorizing. It’s a good idea to include both “OpenSquiggly” and your company name, such as “OpenSquiggly at YourCompany”. This will let users know that they are authorizing the private instance within your company to access their repositories, and not some other public or private OpenSquiggly instance.
    • Redirect URL - Enter the full URL plus the suffix “/home”, for example “https://opensquiggly.yourcompany.com/home".
      • IMPORTANT: The callback URL must EXACTLY MATCH the location where you have installed OpenSquiggly with the “/home” suffix appended.*
    • Confidential - Check the “Confidential” checkbox
    • Scopes - Check the “read_repository” checkbox
    • When finished, click the “Save application” button to create OAuth App.

  6. Take note of the “Application ID” for the newly registered application and store it in a secure location. You will need the Application ID for later steps.

  7. You will also need the value of the “Secret” which GitLab generated for the application. Note that GitLab never displays the secret on the screen. Click the “Copy” button to copy the value to your clipboard, and then store the value in a secure location. You will need the secret for later steps

    • Note that after you exit this screen, you can no longer retrieve the secret value, so you need to store the value in your secure location before proceeding further.

  8. Open an SSH connection to your virtual machine on your cloud provider where you installed OpenSquiggly

  9. Open the appsettings.json file with the command:

    sudo vi /opt/OpenSquiggly/bin/appsettings.json

  10. Add the following section to your appsettings.json file:

     "GitLabOAuthTokenProviderOptions": {
   "AppId": "[The Application ID assigned by GitLab]",
   "AppSecret": "[The secret generated by GitLab]",
   "RedirectUri": "https://[OpenSquiggly URL]/home",
   "Scope": "read_repository"
}

    Example:

     "GitLabOAuthTokenProviderOptions": {
   "AppId": "XXXXXXXXXXXXXXXXXX",
   "AppSecret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
   "RedirectUri": "https://opensquiggly.yourcompany.com/home",
   "Scope": "read_repository"
}

  11. Save the appsettings.json file

  12. Restart the OpenSquiggly service with:

    sudo systemctl restart opensquiggly

Videos

Part 1 : Registering an OAuth Application

Part 2 : Configuring GitLab OAuth

Part 3 : Demo of GitLab OAuth

Part 4 : Viewing and Revoking Authorizations