Using matterircd with Gitlab authentication #29
Comments
|
I'm also interested in this, but I doubt that it is possible at the moment without any modifications. My first guess is that it would require modification of |
|
Not possible for now, I think mattermost only allows 1 oauth sign-in (gitlab or github) (and I guess this patch needs to be merged also mattermost/mattermost#1938 before matterircd can use oauth) My knowledge about oauth is very limited though. Smarter people are always welcome to help out :) |
|
I've been playing around with both mattermost and matterircd for a few weeks now and i'm just getting around to OAuth. It's something that I'm interested in trying to implement for matterircd, but my knowledge of Go up to this point is limited. I'm wondering, if you were to go about implementing support for OAuth, if you had any suggestions as to how you would approach it? Thanks! And also thank you for making matterircd, its been very useful in convincing my colleagues to give mattermost a try, as a platform. |
|
I would also like to make a feature request for this. The Omnibus version of Mattermost only supports Gitlab SSO via Oauth, which is not usable by IRC clients such as irssi. One alternative I have found is to allow users to convert their account authentication from Gitlab SSO to Email/Password. Then they are able to use standard usernames and passwords to authenticate with their IRC clients. That is not a viable large scale solution since it fragments the authentication for users and makes administration more difficult. If matterircd could support Oauth, then that would be the preferable solution. Otherwise, Mattermost Omnibus would need to either support LDAP authentication separately or maybe even reuse the Gitlab LDAP configuration since it is already present in the gitlab.rb file. |
|
Could you support at least setting the auth token manually? (e.g. using https://github.com/mattermost/platform/blob/master/model/client.go#L1282) (It's rather easy to obtain one, e.g. from the cookie in your web-browser and should work) |
|
@Feandil great idea, I got it working. Commit coming up soon. |
|
@Feandil Ok, rebuild from master, and you should be able to login by |
|
Thanks, login seems to work like a charm here :) However, I just hit a bug I think: Could there be an error in the automatic login part ? (the '$' part was replaced by me) |
|
I've updated master to show a bit more debug information, can you reproduce ? |
|
|
|
@trou no sorry, older versions of mattermost have security problems. You should upgrade to mattermost 3.x (https://about.mattermost.com/security-updates/) |
|
Sorry, I have not been able to reproduce the bug so far. Please ignore my previous comment and sorry for the noise |
Minimal IRC server which integrates with Mattermost and Slack. Features: - support direct messages / private channels / edited messages - auto-join/leave to same channels as on mattermost - reconnects with backoff on mattermost restarts - support multiple users - support channel backlog (messages when you're disconnected from IRC/mattermost) - search messages (/msg mattermost search query) - scrollback support (/msg mattermost scrollback #channel limit) - restrict to specified mattermost instances - set default team/server - WHOIS, WHO, JOIN, LEAVE, NICK, LIST, ISON, PRIVMSG, MODE, TOPIC, LUSERS, AWAY, KICK, INVITE support - support TLS (ssl) - support LDAP logins (mattermost enterprise) (use your ldap account/pass to login) - &users channel that contains members of all teams (if mattermost is so configured) for easy messaging - supports mattermost roles (shows admins with @ status for now) - gitlab auth hack by using mmtoken cookie (see 42wim/matterircd#29)
|
It is also possible to use the mattermost Personal Access Token instead of the session token. The Personal Access Token does not expire. |
If I am reading the documentation correctly, though, only mattermost admins get those by default and they have to explicitly enable them for non-admin users. I don't think this is really a workable replacement for the gitlab tokens. It is not clear to me why this is an admin-only feature that is off by default though. |
|
If the reasoning here is that it's not enabled by default, then I think personal access tokens should still be the value to use. I don't know if there is a technical reason not to use them. Determining the MMAUTHTOKEN is not entirely trivial, and it's surely not something you can expect most people to figure out. A big reason to use the PATs is that they can be revoked or disabled if lost or compromised. If either approach can be used, then I'd like to see both. My 2 cents :) |
|
Sure, I agree it would definitely be nice to support both. My point was just that switching to only use the personal access tokens would be bad-- since not all users can necessarily create them. |
|
Hello, |
|
@tobast It is already possible to use the personal access token instead of the mmauthtoken.
|
|
@kerhac Awesome, thank you! One fewer thing to hack before having a working Mattermost setup :) |
|
@kerhac With the actual MMAUTHTOKEN I can connect, but with a personal gitlab access token I can't. Update: |
|
Hey @42wim and others. Reading through this thread, it sounds like the current workarounds for GitLab login on matterircd include:
The reason we enabled personal access tokens for admins only is that these tokens were primarily intended to be used for integrations. We have bot accounts in the near term roadmap which would largely overtake the use case for personal access tokens for integrations. That said, this second use case I'm reading about is interesting and not something we had in mind. Are there other approaches or capabilities that Mattermost could better support GitLab (and other non-email logins) on matterircd? Or are personal access tokens the only way to go? |
|
Closing this, added to the FAQ in the readme |
I have enabled Mattermost (v1.3) that was installed with my Gitlab instance. It is set-up to use Gitlab for login. From matterircd (v0.2) I get the following error:
How can I get matterircd to work in this setup?
The text was updated successfully, but these errors were encountered: