GitLab.com auth module and OAuth support

Hi, I'm trying to get some clarity on using GitLab.com (rather than a private instance).

I initially just dived in and set up the project as normal, picking GitLab in there, and setting up a personal access token. That all worked fine in terms of getting the repo code etc.

However, I then saw warnings about setting up the GitLab auth module (and how that should be done before synchronising) which I'd toatally missed. That settings page led me to https://www.jetbrains.com/help/upsource/2017.3/synchronizing-a-gitlab-project.html

That in turn links to https://www.jetbrains.com/help/hub/OAuth2-Authentication-Module.html

However, when I go in there and read the GitLab section, it says to 'Log in to your GitLab instance, and access the Applications administrative section.'

But, I'm using GitLab.com (which I read that you do support), so I don't have a GitLab admin section with Applications in. The only place I've found Applications is in my personal settings, but presumably if I do it there, it'll only work for me personally, rather than my team?

How do I set up the auth module to be able to support a group on GitLab.com? Or do I not actually need it, as it worked with just my password? I am assuming it's needed to support posting comments as the individuals in our team, but I'm not sure.

Hopefully you can make sense of this for me!

Thanks a lot

8 comments

Hi Iain,

It's ok to use application under user settings. Here is note from the Upsource admin page, which describes how it is going to work:

https://gitlab.com/profile/personal_access_tokens 

Anonymous access to the GitLab API is forbidden. Please provide an OAuth 2.0 token (recommended) or a personal access token, which we'll use to readdata from GitLab. Write requests will be performed on behalf of each individual Upsource user.
 
Thus, your account will be used only to read data, all write actions will be authored by corresponding Upsource users.
0

Hi Artem, sorry for the delay in replying. Does every GitLab user that will access Upsource need to go through those steps to add a personal application and get an OAuth 2.0 token before posting?

I'm still a little unclear what the GitLab auth module is for. Is it only for people to be able to post comments back? It's not allowing people to log in with their GitLab credentials, is it?

Thanks, Iain

0

Hello Iain,

Sorry for the delay from my side.

GtLlab auth module should be configured only once. It allows both to post comments and login to Upsource.

0

Hi, thanks. So to clarify, in a GitLab.com environment (rather than self-hosted), I can add the application once in my personal users setting, and it will allow other GitLab users to log into our Upsource environment and to be able to post comments?

If that's the case, surely that means that any GitLab user can successfully log into our Upsource rather than just our team, which is not what I'd want or expect to see? How do I control only allowing specific permitted users to authenticate?

And if users log in using their existing logins (which ultimately go against our LDAP) and they post comments on a MR pulled in from GitLab, how will their comments appear on the GitLab MR?

Some stronger documentation on this auth module would be really useful, as I still feel unclear on exactly what's happening with it and how it's intended to be used.

0

Hi,

That's correct, once you add the application to your personal user setting, other GitLab users will be able to log into your Upsource. It could sound a bit confusing, but the logic is quite simple - GitLab should know which applications to trust. Personal Application section is enough for that.

If you have a user creation enabled in GitLab auth module - any gitlab user will be able to log into your Upsource and an Upsource user account will be created for him. Such users though wouldn't have any permissions. You could also disable this option handle users creation manually.

0

Thanks. If I disable automatic account creation, how do I create a user manually that will link with a GitLab user when they log in, so they get the correct project access on first login?

0

It should work via em email address that is specified in their GtiLab accounts. 

0

Please sign in to leave a comment.