feat: Add support for Omniauth JWT login

Author: ysicing

README.md

@@ -47,6 +47,7 @@
         - [Microsoft Azure](#microsoft-azure)
         - [Generic OAuth2](#Generic-OAuth2)
         - [OpenID Connect](#openid-connect)
+        - [JWT](#jwt)
     - [Gitlab Pages](#gitlab-pages)
     - [External Issue Trackers](#external-issue-trackers)
     - [Host UID / GID Mapping](#host-uid--gid-mapping)
@@ -756,6 +757,27 @@ To use OIDC set at least `OAUTH_OIDC_ISSUER` and `OAUTH_OIDC_CLIENT_ID`.
 
 See [GitLab OIDC documentation](https://docs.gitlab.com/ee/administration/auth/oidc.html) and [OmniAuth OpenID Connect documentation](https://github.com/omniauth/omniauth_openid_connect/).
 
+##### JWT
+
+To enable the JWT OmniAuth provider, you must register your application with JWT. JWT provides you with a secret key for you to use.
+
+To use JWT set at least `OAUTH_JWT_SECRET` and `OAUTH_JWT_AUTH_URL`.
+
+| GitLab setting                 | environment variable                | default value                  |
+| ------------------------------ | ----------------------------------- | -------------------------------|
+| `label`                        | `OAUTH_JWT_LABEL`                   | `Jwt`                          |
+| `secret`                       | `OAUTH_JWT_SECRET`                  |                                |
+| `algorithm`                    | `OAUTH_JWT_ALGORITHM`               | `HS256`                        |
+| `uid_claim`                    | `OAUTH_JWT_UID_CLAIM`               | `email`                        |
+| `required_claims`              | `OAUTH_JWT_REQUIRED_CLAIMS`         | `["name", "email"]`            |
+| `info_map.name`                | `OAUTH_JWT_INFO_MAP_NAME`           | `name`                         |
+| `info_map.email`               | `OAUTH_JWT_INFO_MAP_EMAIL`          | `email`                        |
+| `auth_url`                     | `OAUTH_JWT_AUTH_URL`                |                                |
+| `valid_within`                 | `OAUTH_JWT_VALID_WITHIN`            | `3600`                         |
+
+
+See [OmniAuth JWT documentation](https://docs.gitlab.com/administration/auth/jwt/).
+
 #### Gitlab Pages
 
 Gitlab Pages allows a user to host static websites from a project. Gitlab pages can be enabled with setting the environment variable `GITLAB_PAGES_ENABLED` to `true`.

assets/runtime/config/gitlabhq/gitlab.yml

@@ -937,7 +937,7 @@ production: &base
                   login_url: '{{OAUTH_CAS3_LOGIN_URL}}',
                   service_validate_url: '{{OAUTH_CAS3_VALIDATE_URL}}',
                   logout_url: '{{OAUTH_CAS3_LOGOUT_URL}}'} }
-       - { name: 'authentiq',
+      - { name: 'authentiq',
           app_id: '{{OAUTH_AUTHENTIQ_CLIENT_ID}}',
           app_secret: 'OAUTH_AUTHENTIQ_CLIENT_SECRET',
           args: { scope: {{OAUTH_AUTHENTIQ_SCOPE}}, redirect_uri: '{{OAUTH_AUTHENTIQ_REDIRECT_URI}}' } }
@@ -1048,7 +1048,16 @@ production: &base
               identifier: '{{OAUTH_OIDC_CLIENT_ID}}',
               secret: '{{OAUTH_OIDC_CLIENT_SECRET}}',
               redirect_uri: '{{OAUTH_OIDC_REDIRECT_URI}}' } } }
-
+      - { name: 'jwt',
+          label: '{{OAUTH_JWT_LABEL}}',
+          args: {
+            secret: '{{OAUTH_JWT_SECRET}}',
+            algorithm: '{{OAUTH_JWT_ALGORITHM}}',
+            uid_claim: '{{OAUTH_JWT_UID_CLAIM}}',
+            required_claims: {{OAUTH_JWT_REQUIRED_CLAIMS}},
+            info_map: { name: '{{OAUTH_JWT_INFO_MAP_NAME}}', email: '{{OAUTH_JWT_INFO_MAP_EMAIL}}' },
+            auth_url: '{{OAUTH_JWT_AUTH_URL}}',
+            valid_within: {{OAUTH_JWT_VALID_WITHIN}} } }
     # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
     # cas3:
     #   session_duration: 28800

assets/runtime/env-defaults

@@ -559,6 +559,17 @@ case $GITLAB_HTTPS in
     ;;
 esac
 
+### JWT
+OAUTH_JWT_LABEL=${OAUTH_JWT_LABEL:-'Jwt'}
+OAUTH_JWT_SECRET=${OAUTH_JWT_SECRET:-}
+OAUTH_JWT_ALGORITHM=${OAUTH_JWT_ALGORITHM:-'HS256'}
+OAUTH_JWT_UID_CLAIM=${OAUTH_JWT_UID_CLAIM:-'email'}
+OAUTH_JWT_REQUIRED_CLAIMS=${OAUTH_JWT_REQUIRED_CLAIMS:-'["name", "email"]'}
+OAUTH_JWT_INFO_MAP_NAME=${OAUTH_JWT_INFO_MAP_NAME:-'name'}
+OAUTH_JWT_INFO_MAP_EMAIL=${OAUTH_JWT_INFO_MAP_EMAIL:-'email'}
+OAUTH_JWT_AUTH_URL=${OAUTH_JWT_AUTH_URL:-}
+OAUTH_JWT_VALID_WITHIN=${OAUTH_JWT_VALID_WITHIN:-3600}
+
 ## ANALYTICS
 
 ### GOOGLE

assets/runtime/functions

@@ -821,6 +821,26 @@ gitlab_configure_oauth_oidc() {
   fi
 }
 
+gitlab_configure_oauth_jwt() {
+  if [[ -n ${OAUTH_JWT_SECRET} && \
+        -n ${OAUTH_JWT_AUTH_URL} ]]; then
+    echo "Configuring gitlab::oauth::jwt..."
+    OAUTH_ENABLED=${OAUTH_ENABLED:-true}
+    update_template ${GITLAB_CONFIG} \
+      OAUTH_JWT_LABEL \
+      OAUTH_JWT_SECRET \
+      OAUTH_JWT_ALGORITHM \
+      OAUTH_JWT_UID_CLAIM \
+      OAUTH_JWT_REQUIRED_CLAIMS \
+      OAUTH_JWT_INFO_MAP_NAME \
+      OAUTH_JWT_INFO_MAP_EMAIL \
+      OAUTH_JWT_AUTH_URL \
+      OAUTH_JWT_VALID_WITHIN
+  else
+    exec_as_git sed -i "/name: 'jwt'/,/{{OAUTH_JWT_VALID_WITHIN}}/d" ${GITLAB_CONFIG}
+  fi
+}
+
 gitlab_configure_oauth() {
   echo "Configuring gitlab::oauth..."
 
@@ -839,6 +859,7 @@ gitlab_configure_oauth() {
   gitlab_configure_oauth_azure
   gitlab_configure_oauth_azure_ad_v2
   gitlab_configure_oauth_oidc
+  gitlab_configure_oauth_jwt
 
   OAUTH_ENABLED=${OAUTH_ENABLED:-false}
   update_template ${GITLAB_CONFIG} \
@@ -852,7 +873,7 @@ gitlab_configure_oauth() {
     OAUTH_ALLOW_BYPASS_TWO_FACTOR
 
   case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in
-    cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME|oidc)
+    cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME|oidc|jwt)
       update_template ${GITLAB_CONFIG} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER
       ;;
     *)