Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Architecture at GitLab / 17 Aug 2023
GitLab / Architecture at GitLab / 17 Aug 2023
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: GitLab Auth Service PoC

Description

Grzegorz Bizon demos a simple Proof-of-Concept of how GitLab Auth Service could look like in theory. The main intent of delivering this PoC is to start a discussion about how our authentication approach could look like in the era of GitLab Cells and GitLab Dedicated.

A

Foreign.

A

And today, I wanted to show you my small proof of concept service I've been working on recently, it's a small golang based reverse proxy. That makes it possible to authenticate users into uh separate, fully decoupled instances of GitHub like gitlab cells or maybe GitHub dedicated instances. This is just a you know, a theoretical service, something that could work this way in theory, but it's not production ready. So let me just show you how it works.

A

Let me show you my screen and uh that's where you can find the code. It's a public project on gitlab.com. So if you have questions or ideas feel free to, um you know, comment on on the code itself or just timing on slack. So, let's, uh let's just jump in and I'll, be happy to show you how it works. So let me just start the service and now, um let's navigate.

A

To the um gitlab POC domain, as you can see, because I'm I'm not signed in in anywhere like it's, my uh there's I have a global identity here with a couple of organizations assigned and I just got immediately redirected the first organization, and there are multiple organizations assigned to my GitHub handle. So let me just sign in.

A

As you can see, that's um the first gitlab instance and I can I can navigate the instance. It's using the organization scoping here. So when I now I can go to the second one.

A

As you can see, I need to authenticate it again because it's a completely different service, but in theory we could use the global identity to sign in into all the organizations automatically.

A

uh Let me enter the second password, which is different actually.

A

And, as you can see, there's a second project here, but there's no first project right. So it's a different instance and uh here I can open the first organization and you will see that there is no second project, but there's only the first one, all right and uh now I can sign out of the first organization and I will remind remained remain signed into the second one.

A

So um under hood we are running two completely subvert GitHub instances you're using our official Docker image, that's at the latest release and there are no application changes required to make it work.

A

um And now the service itself is managing the sessions. So whenever we sign in into the organization or Excel, the service is going to store the session in the global identity store. And then whenever we want to open an organization, then the correct identity is going to be forwarded to the cell or GitHub instance that the user wants to connect to yeah and that's it uh feel free to reach out. If you have questions or suggestions uh yeah. Thank you, foreign.