feat: add gitlab provider templates (#5405)

* feat(api): add google provider template

* refactor reduce functions

* handle removed event

* linting

* fix projection

* feat(api): add generic oauth provider template

* feat(api): add github provider templates

* feat(api): add github provider templates

* fixes

* proto comment

* fix filtering

* requested changes

* feat(api): add generic oauth provider template

* remove wrongly committed message

* increase budget for angular build

* fix linting

* fixes

* fix merge

* fix merge

* fix projection

* fix merge

* updates from previous PRs

* enable github providers in login

* fix merge

* fix test and add github styling in login

* cleanup

* feat(api): add gitlab provider templates

* fix: merge

* fix display of providers in login

* implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it

* fix merge

* fix merge and add tests for command side

* requested changes

* requested changes

* Update internal/query/idp_template.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* fix merge

* requested changes

---------

Co-authored-by: Silvan <silvan.reusser@gmail.com>

internal/api/ui/login/external_provider_handler.go

@@ -19,6 +19,7 @@ import (
 	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
 	"github.com/zitadel/zitadel/internal/idp"
 	"github.com/zitadel/zitadel/internal/idp/providers/github"
+	"github.com/zitadel/zitadel/internal/idp/providers/gitlab"
 	"github.com/zitadel/zitadel/internal/idp/providers/google"
 	"github.com/zitadel/zitadel/internal/idp/providers/jwt"
 	"github.com/zitadel/zitadel/internal/idp/providers/oauth"
@@ -146,12 +147,14 @@ func (l *Login) handleIDP(w http.ResponseWriter, r *http.Request, authReq *domai
 		provider, err = l.githubProvider(r.Context(), identityProvider)
 	case domain.IDPTypeGitHubEnterprise:
 		provider, err = l.githubEnterpriseProvider(r.Context(), identityProvider)
+	case domain.IDPTypeGitLab:
+		provider, err = l.gitlabProvider(r.Context(), identityProvider)
+	case domain.IDPTypeGitLabSelfHosted:
+		provider, err = l.gitlabSelfHostedProvider(r.Context(), identityProvider)
 	case domain.IDPTypeGoogle:
 		provider, err = l.googleProvider(r.Context(), identityProvider)
 	case domain.IDPTypeLDAP,
 		domain.IDPTypeAzureAD,
-		domain.IDPTypeGitLab,
-		domain.IDPTypeGitLabSelfHosted,
 		domain.IDPTypeUnspecified:
 		fallthrough
 	default:
@@ -221,6 +224,20 @@ func (l *Login) handleExternalLoginCallback(w http.ResponseWriter, r *http.Reque
 			return
 		}
 		session = &oauth.Session{Provider: provider.(*github.Provider).Provider, Code: data.Code}
+	case domain.IDPTypeGitLab:
+		provider, err = l.gitlabProvider(r.Context(), identityProvider)
+		if err != nil {
+			l.externalAuthFailed(w, r, authReq, nil, nil, err)
+			return
+		}
+		session = &openid.Session{Provider: provider.(*gitlab.Provider).Provider, Code: data.Code}
+	case domain.IDPTypeGitLabSelfHosted:
+		provider, err = l.gitlabSelfHostedProvider(r.Context(), identityProvider)
+		if err != nil {
+			l.externalAuthFailed(w, r, authReq, nil, nil, err)
+			return
+		}
+		session = &openid.Session{Provider: provider.(*gitlab.Provider).Provider, Code: data.Code}
 	case domain.IDPTypeGoogle:
 		provider, err = l.googleProvider(r.Context(), identityProvider)
 		if err != nil {
@@ -231,8 +248,6 @@ func (l *Login) handleExternalLoginCallback(w http.ResponseWriter, r *http.Reque
 	case domain.IDPTypeJWT,
 		domain.IDPTypeLDAP,
 		domain.IDPTypeAzureAD,
-		domain.IDPTypeGitLab,
-		domain.IDPTypeGitLabSelfHosted,
 		domain.IDPTypeUnspecified:
 		fallthrough
 	default:
@@ -609,6 +624,7 @@ func (l *Login) oidcProvider(ctx context.Context, identityProvider *query.IDPTem
 		l.baseURL(ctx)+EndpointExternalLoginCallback,
 		identityProvider.OIDCIDPTemplate.Scopes,
 		openid.DefaultMapper,
+		openid.WithSelectAccount(),
 	)
 }
 
@@ -678,6 +694,34 @@ func (l *Login) githubEnterpriseProvider(ctx context.Context, identityProvider *
 	)
 }
 
+func (l *Login) gitlabProvider(ctx context.Context, identityProvider *query.IDPTemplate) (*gitlab.Provider, error) {
+	secret, err := crypto.DecryptString(identityProvider.GitLabIDPTemplate.ClientSecret, l.idpConfigAlg)
+	if err != nil {
+		return nil, err
+	}
+	return gitlab.New(
+		identityProvider.GitLabIDPTemplate.ClientID,
+		secret,
+		l.baseURL(ctx)+EndpointExternalLoginCallback,
+		identityProvider.GitLabIDPTemplate.Scopes,
+	)
+}
+
+func (l *Login) gitlabSelfHostedProvider(ctx context.Context, identityProvider *query.IDPTemplate) (*gitlab.Provider, error) {
+	secret, err := crypto.DecryptString(identityProvider.GitLabSelfHostedIDPTemplate.ClientSecret, l.idpConfigAlg)
+	if err != nil {
+		return nil, err
+	}
+	return gitlab.NewCustomIssuer(
+		identityProvider.Name,
+		identityProvider.GitLabSelfHostedIDPTemplate.Issuer,
+		identityProvider.GitLabSelfHostedIDPTemplate.ClientID,
+		secret,
+		l.baseURL(ctx)+EndpointExternalLoginCallback,
+		identityProvider.GitLabSelfHostedIDPTemplate.Scopes,
+	)
+}
+
 func (l *Login) appendUserGrants(ctx context.Context, userGrants []*domain.UserGrant, resourceOwner string) error {
 	if len(userGrants) == 0 {
 		return nil

internal/api/ui/login/static/resources/themes/scss/styles/identity_provider/identity_provider_base.scss

@@ -4,6 +4,7 @@ $lgn-idp-provider-name-line-height: 36px;
 $lgn-idp-border-radius: .5rem;
 $googlelogosource: '../../../images/idp/google';
 $githublogosource: '../../../images/idp/github';
+$gitlablogosource: '../../../images/idp/gitlab';
 
 @mixin lgn-idp-base {
     display: block;
@@ -52,4 +53,16 @@ $githublogosource: '../../../images/idp/github';
             border-radius: 5px;
         }
     }
+
+    &.gitlab {
+        span.logo {
+            height: 46px;
+            width: 46px;
+            background-image: url($gitlablogosource + '.png');
+            background-size: 100%;
+            background-position: center;
+            background-repeat: no-repeat;
+            border-radius: 5px;
+        }
+    }
 }

internal/api/ui/login/static/resources/themes/scss/styles/identity_provider/identity_provider_theme.scss

@@ -26,6 +26,11 @@
       color: var(--zitadel-color-github-text);
       background-color: var(--zitadel-color-github-background);
     }
+
+    &.gitlab {
+      color: var(--zitadel-color-gitlab-text);
+      background-color: var(--zitadel-color-gitlab-background);
+    }
   }
 
   .lgn-idp-providers {

internal/api/ui/login/static/resources/themes/scss/styles/vars.scss

@@ -115,6 +115,8 @@
   --zitadel-color-google-background: #ffffff;
   --zitadel-color-github-text: #8b8d8d;
   --zitadel-color-github-background: #ffffff;
+  --zitadel-color-gitlab-text: #8b8d8d;
+  --zitadel-color-gitlab-background: #ffffff;
 
   --zitadel-color-qr: var(--zitadel-color-black);
   --zitadel-color-qr-background: var(--zitadel-color-white);
@@ -218,4 +220,6 @@
   --zitadel-color-google-background: #ffffff;
   --zitadel-color-github-text: #8b8d8d;
   --zitadel-color-github-background: #ffffff;
+  --zitadel-color-gitlab-text: #8b8d8d;
+  --zitadel-color-gitlab-background: #ffffff;
 }

internal/api/ui/login/static/resources/themes/zitadel/css/zitadel.css

@@ -100,6 +100,8 @@
   --zitadel-color-google-background: #ffffff;
   --zitadel-color-github-text: #8b8d8d;
   --zitadel-color-github-background: #ffffff;
+  --zitadel-color-gitlab-text: #8b8d8d;
+  --zitadel-color-gitlab-background: #ffffff;
   --zitadel-color-qr: var(--zitadel-color-black);
   --zitadel-color-qr-background: var(--zitadel-color-white);
 }
@@ -188,6 +190,8 @@
   --zitadel-color-google-background: #ffffff;
   --zitadel-color-github-text: #8b8d8d;
   --zitadel-color-github-background: #ffffff;
+  --zitadel-color-gitlab-text: #8b8d8d;
+  --zitadel-color-gitlab-background: #ffffff;
 }
 
 body {
@@ -572,6 +576,15 @@ a.sub-formfield-link {
   background-repeat: no-repeat;
   border-radius: 5px;
 }
+.lgn-idp.gitlab span.logo {
+  height: 46px;
+  width: 46px;
+  background-image: url("../../../images/idp/gitlab.png");
+  background-size: 100%;
+  background-position: center;
+  background-repeat: no-repeat;
+  border-radius: 5px;
+}
 
 .lgn-error {
   display: flex;
@@ -1556,6 +1569,15 @@ a.sub-formfield-link {
   background-repeat: no-repeat;
   border-radius: 5px;
 }
+.lgn-idp.gitlab span.logo {
+  height: 46px;
+  width: 46px;
+  background-image: url("../../../images/idp/gitlab.png");
+  background-size: 100%;
+  background-position: center;
+  background-repeat: no-repeat;
+  border-radius: 5px;
+}
 
 .lgn-error {
   display: flex;
@@ -3073,6 +3095,10 @@ ul li i.lgn-valid {
   color: var(--zitadel-color-github-text);
   background-color: var(--zitadel-color-github-background);
 }
+.lgn-idp.gitlab {
+  color: var(--zitadel-color-gitlab-text);
+  background-color: var(--zitadel-color-gitlab-background);
+}
 
 .lgn-idp-providers .lgn-idp-desc {
   color: var(--zitadel-color-label);

internal/api/ui/login/static/templates/login.html

@@ -49,7 +49,7 @@
         <a href="{{ externalIDPAuthURL $reqid $provider.IDPConfigID}}"
             class="lgn-idp {{idpProviderClass $provider.IDPType}}">
             <span class="logo"></span>
-            <span class="provider-name">{{$provider.Name}}</span>
+            <span class="provider-name">{{$provider.DisplayName}}</span>
         </a>
         {{end}}
     </div>

internal/api/ui/login/static/templates/register_option.html

@@ -29,7 +29,7 @@
                 <a href="{{ externalIDPRegisterURL $reqid $provider.IDPConfigID}}"
                     class="lgn-idp {{idpProviderClass $provider.IDPType}}">
                     <span class="logo"></span>
-                    <span class="provider-name">{{$provider.Name}}</span>
+                    <span class="provider-name">{{$provider.DisplayName}}</span>
                 </a>
             {{end}}
         {{end}}