Step-up auth: Show step-up auth for admin mode in active sessions [PART 1.1]
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.
What does this MR do and why?
The active session page is important for users to see the active sessions, manage and revoke them.
As part of the step-up authentication for admin mode, it is important to identify the session that currently have the step-up authentication enabled.
This change ensures that users can easily identify which sessions have step-up authentication enabled, providing better transparency and security management.
References
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
MR Checklist (@gerardo-navarro)
-
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the javascript style guides -
Conforms to the database guides -
Ensure the text "with Step-up Authentication" is not shown when the user leaves the admin mode
Screenshots or screen recordings
Here is the screencast to demonstrate the feature:
- Part 1: https://cap.link/sy3wsxze0s9m6n0 => Showing extra information for the session that has been step-up authenticated
- Part 2: https://cap.link/kg7xfg7j5dwg179 => Revoking the session does not interfere with the step-up authentication
| Before | After |
|---|---|
|
|
How to set up and validate locally
Part 1: Configure step-up auth in Keycloak
- Follow the steps for configuring step-up auth as decribed in a previous MR description (Part 1)
Part 2: Prepare your local GitLab gdk instance
- Follow the steps for configuring step-up auth as decribed in a previous MR description (Part 2)
Part 3: Observe active sessions in separate browser window
- Go to the usual sign in page: http://gdk.test:3000/users/sign_in
- Go to your User Settings > Active Sessions page.
- You should see your current session
👍 - Now continuously refresh the page after the steps in Part 4 in order to see the changes
Part 4: Test the step-up auth for admin mode
- Open another private browser window (fresh session); do not use the same browser as in Part 3 to ensure that you have an isolated session
- Go to the usual sign in page: http://gdk.test:3000/users/sign_in
- Sign in via Keycloak via username and password
- After a successful sign in, the user will be redirected to it's dashboard
- Look at the active session page (in the other browser) and you should see an additinoal active session
- Go to the reauthentication page for the admin area: http://gdk.test:3000/admin/session/new (this should be possible because the user is also an admin)
- Sign in with the button "[OIDC] Keycloak" and fulfill the step-up authentication challenge
- You should now be inside the admin area
😄 - Look at the active session page (in the other browser) and see that one active session contains the information "with Step-up Authentication" and "with Admin Mode"
Edited by Gerardo Navarro