►
Description
Sam Figeroua discusses backend implementation of this epic: https://gitlab.com/groups/gitlab-org/-/epics/11084
High-level description: Before someone approves an MR, there should be re-authentication with SAML.
Similar feature: Password required for MR approvals: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/10364
A
Can
repeat
that?
No
no,
it's
okay,
I
just
was
getting
excited,
so
recording
is
going
to
get
started.
Okay,
so
we
have
hi
Joseph
Jesse.
A
We
were
gonna,
did
you
come
with
any
particular
to
pair
on
or
you
want
to
pair
on
other
seminal
something
from
somebody
else,
because
we
can.
We
have
something
we're
starting
on,
but
we
can
make
sure
we
leave
time
if
you
have
something
else.
B
A
C
B
A
Great,
do
you
have
an
issue
you
could
send
us,
or
did
you
put
it
in
the
channel
somewhere.
B
I'm
gonna
grab
it
hold
on
actually
right.
Now,
it's
an
epic.
B
B
Yeah,
it's
been
there
for
quite
a
bit
was
left
dormant
for
a
while.
Most
of
the
comments
are
about
a
year
old.
C
B
Came
back
nine
months,
it
was
that's
the
magic
of
promoting
an
issue
to
an
epic.
B
Yeah,
oh
yeah,
it
is,
there
is
an
activity
item.
I
was
going
to
say:
do
we
at
least
have
an
activity
item
for
that
we
do
yeah?
Okay,
let's
see
she.
Where
is
it.
B
Right
there's
the
issue
yeah.
It
was
promoted
from
issue
to
Epic
and
that's
why
it
was
confusing
that
way,
yeah
so
I'm.
Splitting
this
plan
was
to
split
this
up
into
the
back
end
in
the
front
end
parts
and
start
with
the
back
end:
first
yeah,
so
where
I'm,
initially
kind
of
stuck
on
is
figuring
out.
If
I
want
to
send
a
re-auth
request,
I'll
have
to
as
far
as
I've
understood
it
is
provided
a
a
Good
callback
or
there's
a
callback
URL.
That
saml
will
redirect
to
once.
B
They're
authenticated
right,
Jesse
feel
free
to
say,
nay,
when
I
say
something
wrong,
so,
where
I'm
having
trouble
finding
out
in
the
code
is
where
could
I
grab
on
to
parameters
that
I've
added,
like,
for
example,
I,
would
want
to
add
a
reference
to
the
Mr
that
we're
approving
and
sort
of
tag.
The
action
as
this
is
a
foreign
approval,
I
tried
getting
into
some
of
the
callbacks.
We
have
I
think
we
have
an
omni
auth
callbacks
controller,
but
I
didn't
get
very
far
with
that.
A
B
B
B
You're
yeah,
it's
I,
think
the
the
background
for
this
came
from
an
FDA
regulation
that,
for
compliance
reasons,
they
need
to
ensure
that
the
person
who's
approving
is
actually
that
same
person.
So
they
want
to
sort
of
get
around
someone
left
their
laptop
on
or
try
to
reduce
that
yeah.
A
B
Yeah,
this
would
be
like
similar,
like
we
already
have
required
password
to
approve
done
in
a
similar
way,
and
this
would
sort
of
add
on
to
that
and
have
a
sample
to
approve.
A
Yeah,
okay,
that
makes
sense
and
okay.
So
this
is
going
to
be
data
behind
the
setting
and
we
do
we
have
access
to
the
mr'd.
We
have
it
handy.
The
one
with
the
email
verification
was
added,
I'm
curious,
how
that
was
done.
A
A
Is
this
is
introduced
in
12.0
there's
a
little
link,
oh
for
an
issue
if
you
go
under
the
they
require
user
password
to
approve
subheader
in
here.
Do
you
see
that,
on
this
page
here,
I
can
send
you
in
the
chat.
A
B
Years
ago
that's
been
a
while
yeah
yeah.
A
And
you
can,
let
me
know
also
if
you
would
rather
investigate
this
in
a
different
way
I
just
for
me.
This
is
how
I
feel
like
I
always
start
if
I'm
like
what
other
features
do
we
have
that
are
similar
to
this.
B
C
A
B
B
We
can
we
can
check
that
out.
That's
on
merge
request.
B
A
B
A
B
B
B
A
Which
isn't
exactly
what
you
want,
because
you're
not
looking
for
an
active
saml
session?
You
want
to
just
prompt
saml
authentication,
but
it
is
possible
that
that
does
a
check
they
check
for
more
than
just
roll
is
basically
I'm
trying
to
say
those
policy.
B
A
C
I,
don't
know
if
it's
going
to
be
relevant
but
I
think
maybe
the
method
is
also
overridden
in
EE.
There's
ee
have
models
concerns
ee
approval,
which
overrides
the
same
method.
B
B
I've
noticed
in
the
an
omni
auth
callback
controller
that
there
is,
there
seems
to
be
methods
to
fetch
some
params
from
the
auth.
B
Where
I've
had
trouble,
trying
to
figure
out
was
how
to
sort
of
inject
a
different
flow,
because
the
usual
flow
is
it
logs
you
in
and
redirects
back
where
you
wanted
to
go
right
or
where.
A
C
B
Something
rings
a
bell:
there
yeah
we
have
or
not,
I.
A
C
B
A
B
B
B
Yet
is
how
do
I
make
sure
that
this
this
approval
is
part
of
a
response
from
saml
and
not
just
someone
calling
the
same
URL
like
if
they
would
know
what
to
pick
not
on
saying
that
out
loud
Maybe,
yeah
I
could
add
some
sort
of
token,
but
yeah
I
want
I
want
to
be
able
to
make
sure
that
someone
calling
the
approve
actually
happened,
like
in
the
response
from
a
saml
and
not
just
them,
calling
the
method.
A
Will
there
will
be
some
I
believe
there's
an
attribute
on
the
user
like
we
know
when
the
user
lasts
asked
with
saml?
Don't
we
I
don't
have
to
help
my
head
and
know
what
that
attribute
would
be
if
it's
like
last
login
at
or
whatever,
but
assuming
it's
on
the
user
themselves,
yeah.
B
A
B
A
Really
understanding
the
full
flow,
that's
gonna
happen,
I
mean
we'll,
have
different
methods
of
doing
these
things.
A
B
B
All
right,
let's
see.
A
A
B
B
A
Be
approval
for
the
saml
off
like
I
think
the
way
this
seems
to
work
is
that
the
user
has
like
typed
in
their
password
and
then
we
pass
that
to
approval
service
and
we're
like
okay.
Is
this
the
right
password,
if
so,
allow
them
to
approve?
But
we
in
a
saml
context,
are
knocking
another
password
that
we're
just
going
to
know
whether
they
have
successfully
Sam
lost
or
not.
A
B
C
B
B
And
the
future
is
if
they
it's
like
the
first.
Let
me
let
me
check
well
this
feature
in
this
iteration.
It
doesn't
matter
as
much
but
like
the
ultimate
implementation
would
be
that
they
would
have
to
like
the
first
time
in
their
session.
They
try
to
approve
something
they
need
to
log
in
and
if
they
don't,
let's
say
they
don't
log
in
and
again
for
the
next
10
minutes
or
their
session
is
older
than
10
minutes,
then
they
would
have
to
do
it
again.
B
But
like
after
the
first
one
after
the
first
approved
like
in
the
next
10
minutes,
they
could
improve
any
without
re-authenticating
again,
so
they
sort
of
have
like
a
grace
period
like
we
know
you
just
had
a
saml
off.
So
it's
it's
fine
for
the
next
10
minutes
and
if
you
take
longer
than
that
you
step
away,
then
we'll
need
to
re-auth.
C
A
A
That
is
I
think
that's
the
class
that
we're
gonna
wanna
look
into
to
know
when
the
user
lost
Sam
will
off
we're
already
here.
I,
don't
think
so.
A
If
you'll
see
there's
like
active
session
question
mark
in
there,
and
so
it's
looking
at
session
information,
but
it
does,
you
know
so
default
session.
Timeout
is
it
is
one
day
ago
yeah,
so
you're
gonna
want
to
do
something
different,
but
I
feel
like
this
might
be
what
you're
looking
for
in
terms
of
where
to
pull
information
about
when
the
user
lasts,
say,
I'm
all
off.
B
Maybe
if
this
was
let's
see.
A
B
A
A
C
C
A
C
A
Yeah
so
I
feel
like
if
you
want
to,
if
you
want
to
start
on
the
inside
out
and
just
do
the
logic,
the
very
like
lowest
level
logic.
First,
wouldn't
that
be
starting
with
this
service.
The
merge
requests,
approval
service
and,
in
there
saying,
if
this
setting
is
set,
make
sure
that
active
sense
cut
off
of
arbitrary
timestamp
15
minutes
ago.
Whatever
is
true
and
then
allow
it,
and
that's
kind
of
this,
like
the
most
low
level
piece.
B
A
B
B
A
A
I
know
like
in
my
I,
don't
know
if
you
experienced
this
I
feel
like
a
lot
of
the
features.
I've
worked
on,
there's
kind
of
a
push
to
make
the
ultimate
features
like
they're,
trying
to
like
add
more
differentiation
between
premium
and
ultimate,
because
ultimate
is
quite
a
lot
more
expensive.
B
B
Because,
like
basically,
everything
is
always
an
ultimate
feature,
so
yeah,
yes,
yeah
I,
might
need
to
double
check.
That,
though,
because
this
is
this
came
from
a
different
direction,
so.
A
B
Yeah
I
was
anticipating
that
it
probably
will
be
multiple
Mrs.
B
Yeah,
like
you
said,
front-end
and
back
end,
will
be
a
different
split.
Basically,
so
I
wanted
to
have
that
split
up
in
itself
already
and
the
the
back
end
part.
B
It's
like
sort
of
the
I
was
probably
because
I
was
looking
at
the
the
bigger
picture,
together
with
the
the
FDA
compliance
request,
where
the
people
also
had
to
like
sign
their
name
or
something
that
was
like
the
initial
request
they
had
to
like
type
in
their
name
and
then
authenticate,
and
they
had
to
have
their
name
in
there
with
it.
Whoa.
B
B
A
B
A
A
B
B
That
whole
shebang
yeah,
so
that's
the
that's
true,
that's
the
other
part
is
that
there's
going
to
be
a
setting
for
this
as
well,
people
are
gonna
have
to
be
able
to
enable
it
or
not
in
the
group
settings.
B
True,
that's
a
good
point.
I'm
going
to
add
that
to
the
questions.
A
B
A
B
Roller
and
usually
I'll
try
to
I'll
try
to
use
it
to
like
have
a
a
list
of
things.
I
need
every
day
when
I
have
too
many
tabs
open
I'll
try
to
figure
out
like
I'll.
Have,
let's
see
all
right
like
this,
I'll
have
just
a
link
to
like
a
day
daily
list
and
then,
like
things,
I've
used
that
day.
Those
will
go
like
on
this
link
list.
B
B
This
is
something
I
was
working
on
a
while
back
and
then
I
can
sort
of
hone
in
on
where
I
might
have
been
doing
that,
and
it's
just
I,
don't
think
too
much
about
it
way
to
lock
them,
because
if
I
try
to
categorize
them,
I'll
spend
all
day
just
categorizing
everything
yeah,
so
I
try
to
do
it
just
by
that
date
and
then,
if
I
need
anything
extra
on
it
like
in
in
Rome,
I
can
just
add
these
hashes
and
it'll
tag
them
and
then
it'll
collate
everything
I
have
on
there
together.
B
So
every
time
you
link
something
in
Rome,
it'll,
try
to
Auto
find
auto
like
links
and
grab
other
things
that
have
been
linked.
The
same
way
in
these
references,
so
that's
kind
of
cool
I
like.
A
B
A
C
B
Yeah
I,
don't
like
Google
docs
for
I've
used,
tried
using
it
for
notes
and
everything
but
I,
just
even
the
king
of
search
Google,
and
you
think
it's
only
doesn't
work
very
well
in
other
apps.
They
try
to
find
something
on
Google,
Docs
or
on
drive.
It
seems
to
fall
apart
more
than
yeah.
Then
it
should
yeah.
C
A
A
Exactly
and
I
guess,
because
I
think
the
other
question
that
you
needed
final
approval
on
our
thought
on
is
like
the.
What
is
the
time
right
like
what
is
the
window
of
time
when
somebody
can
have.
B
A
B
B
C
B
Yeah
I,
don't
I,
don't
doubt
that
not
everyone
could
follow
Samuel
in
their
heads.
Just
too
much
I
started
looking
at
last
week,
I
was
felt
very
overwhelmed
with
all
the
sub
classes
and
even
more
sub
classes.
Yeah
yeah.
A
Well
then,
I
sign
your
Rome
notes
that
you
had
on
your
to-do
for
yesterday
to
set
up
Sam
Olaf
with
GDK.
Were
you
able
to
do
that?
Okay,.
A
A
Because
we
also
could
help
you
do
that
if
you
wanted
I've
done
that
a
few
times,
it's
pretty
I
think
the
docs
are
pretty
good,
but
also
I've
done
it
a
few
times.
So
maybe
I'm.
A
B
A
C
B
A
It
on
gdk.test
it
was
a
lot
easier
to
manually,
update
because.
C
No
that's
what
daughter
status
I.
It
looks
like
a
recent
change.
A
A
A
A
Good
luck
with
that!
Let
us
know
if
you
have
issues
you
found
the
right
people
to
talk
to
about
CML
so
appreciate.