From 93d4234efa43dea4165a8b0b87c51eb7d6131f28 Mon Sep 17 00:00:00 2001
From: Joe Marty <jmarty@iexposure.com>
Date: Tue, 7 Feb 2017 14:43:08 -0600
Subject: [PATCH] Add omniauth-oauth2-generic strategy

- Allows configurable Single Sign On with most simple OAuth2 providers
- Adds documentation for the new strategy

Closes #26744
---
 Gemfile                           |  1 +
 Gemfile.lock                      |  3 ++
 doc/integration/oauth2_generic.md | 60 +++++++++++++++++++++++++++++++
 doc/integration/omniauth.md       |  1 +
 4 files changed, 65 insertions(+)
 create mode 100644 doc/integration/oauth2_generic.md

diff --git a/Gemfile b/Gemfile
index 79433b12823a..0060f1225121 100644
--- a/Gemfile
+++ b/Gemfile
@@ -29,6 +29,7 @@ gem 'omniauth-github',        '~> 1.1.1'
 gem 'omniauth-gitlab',        '~> 1.0.2'
 gem 'omniauth-google-oauth2', '~> 0.4.1'
 gem 'omniauth-kerberos',      '~> 0.3.0', group: :kerberos
+gem 'omniauth-oauth2-generic', '~> 0.2.2'
 gem 'omniauth-saml',          '~> 1.7.0'
 gem 'omniauth-shibboleth',    '~> 1.2.0'
 gem 'omniauth-twitter',       '~> 1.2.0'
diff --git a/Gemfile.lock b/Gemfile.lock
index 235426afa49c..a3c2fad41ba3 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -483,6 +483,8 @@ GEM
     omniauth-oauth2 (1.3.1)
       oauth2 (~> 1.0)
       omniauth (~> 1.2)
+    omniauth-oauth2-generic (0.2.2)
+      omniauth-oauth2 (~> 1.0)
     omniauth-saml (1.7.0)
       omniauth (~> 1.3)
       ruby-saml (~> 1.4)
@@ -931,6 +933,7 @@ DEPENDENCIES
   omniauth-gitlab (~> 1.0.2)
   omniauth-google-oauth2 (~> 0.4.1)
   omniauth-kerberos (~> 0.3.0)
+  omniauth-oauth2-generic (~> 0.2.2)
   omniauth-saml (~> 1.7.0)
   omniauth-shibboleth (~> 1.2.0)
   omniauth-twitter (~> 1.2.0)
diff --git a/doc/integration/oauth2_generic.md b/doc/integration/oauth2_generic.md
new file mode 100644
index 000000000000..3953df18d853
--- /dev/null
+++ b/doc/integration/oauth2_generic.md
@@ -0,0 +1,60 @@
+# Sign into Gitlab with (almost) any OAuth2 provider
+
+The `omniauth-oauth2-generic` gem allows Single Sign On between Gitlab and your own OAuth2 provider (or any simple OAuth2 provider compatible with this gem) 
+
+This strategy is designed to allow configuration of the simple OmniAuth SSO process outlined below:
+
+1. Strategy directs client to your authorization URL (**configurable**), with specified ID and key
+1. OAuth provider handles authentication of request, user, and (optionally) authorization to access user's profile
+1. OAuth provider directs client back to Gitlab where Strategy handles retrieval of access token
+1. Strategy requests user information from a **configurable** "user profile" URL (using the access token)
+1. Strategy parses user information from the response, using a **configurable** format
+1. Gitlab finds or creates the returned user and logs them in
+
+**Limitations of this Strategy:**
+
+- It can only be used for Single Sign on, and will not provide any other access granted by any OAuth provider (such as importing projects or users, etc).
+- It only supports the Authorization Grant flow (most common for client-server applications, like Gitlab)
+- It is not able to fetch user information from more than one URL
+- It has not been tested with user information formats other than JSON
+
+### Config Instructions
+1. To enable the OAuth2 generic strategy you must register your application in the OAuth2 provider you wish to authenticate with. 
+   That provider should generate an ID and secret key for you to use with this strategy.
+
+   The redirect URI you provide when registering the application should be:
+
+    ```
+    http://your-gitlab.host.com/users/auth/oauth2_generic/callback
+    ```
+
+1.  You should now be able to get a Client ID and Client Secret.  Where this shows up will differ for each provider.
+    This may also be called Application ID and Secret.
+
+1.  On your GitLab server, open the configuration file.
+
+    For omnibus package:
+
+    ```sh
+      sudo editor /etc/gitlab/gitlab.rb
+    ```
+
+    For installations from source:
+
+    ```sh
+      cd /home/git/gitlab
+
+      sudo -u git -H editor config/gitlab.yml
+    ```
+
+1.  See [Initial OmniAuth Configuration](omniauth.md#initial-omniauth-configuration) for initial settings.
+
+1.  Add the provider-specific configuration for your provider, as [described in the gem's README](https://gitlab.com/satorix/omniauth-oauth2-generic#gitlab-config-example)
+
+1.  Save the configuration file.
+
+1.  Restart GitLab for the changes to take effect.
+
+On the sign in page there should now be a new button below the regular sign in form. 
+Click the button to begin your provider's authentication process. This will direct the browser to your OAuth2 Provider's authentication page.
+If everything goes well the user will be returned to your GitLab instance and will be signed in.
diff --git a/doc/integration/omniauth.md b/doc/integration/omniauth.md
index 98a680d0dbe7..47e20d7566a5 100644
--- a/doc/integration/omniauth.md
+++ b/doc/integration/omniauth.md
@@ -31,6 +31,7 @@ contains some settings that are common for all providers.
 - [Azure](azure.md)
 - [Auth0](auth0.md)
 - [Authentiq](../administration/auth/authentiq.md)
+- [OAuth2Generic](oauth2_generic.md)
 
 ## Initial OmniAuth Configuration
 
-- 
GitLab