Epic: Minimum Viable Single Sign-On (SSO)

[jldec]

Closed in favour of #16862

Old description

**Summary** The goal of this epic is to allow users to sign up and log in with alternate identity providers (OIDC) which are not also git integrations. This applies to both SaaS and self-hosted Gitpod installations.

Product Doc (internal)

Task breakdown

Iteration 1 – Theme: Groundwork to support OIDC with Google

• [sso/oidc] Proto definitions for OIDC ProviderConfig in public-api #14951
• [sso/oidc] Add new iam module to host OIDC client #14953
• [public-api] implement CreateOIDCProviderConfig #15150
• [sso/oidc] Implement OIDC client in iam component #14955
  • Add basic OIDC client #15267

Iteration 2 – Theme: Integrate OIDC auth flow (❌ )

• [public-api] implement GetOIDCProviderConfig #15152
• [sso/oidc] Add /session endpoint to server #14954
  • [OIDC] Add /session endpoint to server #15472
  • [OIDC] Call /session endpoint to create a session #15512
  • [oidc] find/create User account #15631 (fixes # 14954)
• [sso/oidc] Add OIDC Clients UI #14278

Sub-epics

• Epic: SSO/OIDC Setup Flow (for Dedicated): Epic: SSO/OIDC Setup Flow (for Dedicated) #15649
• Epic: Enable Git Auth for Organizations for Dedicated #15955
• Epic: Login with SSO #16862

Out of Scope

• Additional identity providers - TBD
• Identity provider APIs e.g. SAML SSO or SCIM
• Identity provider integrations with Gitpod payment plans e.g. for teams
• Group membership APIs e.g. to sync with GitHub teams
• Gitpod-native authentication (or at least account recovery via one time password sent via e-mail)

Signal: https://github.com/gitpod-io/customers/issues/46

[andymac4182]

Would be great to see SAML (Okta) as the first provider. SCIM would be ideal but that could wait. Hopefully this will open the way for alternative methods of connecting to Git such as AWS CodeCommit which requires SSH keys or Role assumption.

[lucasvaltl]

This reminded me of a blog post I read about this exact topic. It contains some very specific ideas about how to implement SAML support along with some best practices - not sure if it helps, but wanted to send it over anyways!

[shaal]

This is essential for repositories hosted elsewhere than Github, Gitlab, or Bitbucket.
ie. Drupalpod is hosted in a self-hosted Gitlab repository at https://git.drupalcode.org/project/drupalpod

A new user gets to choose between Github, Gitlab or Bitbucket when opening the Gitpod link for this repo. Since this repo is not hosted in any of those places, this can be confusing.

[shaal]

Related discussion in drupal.org - https://www.drupal.org/project/drupalorg/issues/3238242#comment-14434396

[ubshreenath]

Upvoting this.

[charleswhchan]

Hello, is the SSO OIDC feature completed?

I would like to add OidcAuthProviders config to the installer (similar to config.go::AuthProviders) to automate the config, what's the correct behavior?
a. retrieve the config on deploy
b. write config to database on component/server start up

Note: I am happy to create a PR with guidance.

[meysholdt]

Hey @AlexTugarev, do you want to take the above questions?

hey @charleswhchan, this issue is closed, can you ask here? #16862

[charleswhchan]

Sure: #16862 (comment)