OpenID Connect OmniAuth provider
GitLab can use OpenID Connect as an OmniAuth provider.
To enable the OpenID Connect OmniAuth provider, you must register your application with an OpenID Connect provider. The OpenID Connect will provide you with a client details and secret for you to use.
-
On your GitLab server, open the configuration file.
For Omnibus GitLab:
sudo editor /etc/gitlab/gitlab.rb
For installations from source:
cd /home/git/gitlab sudo -u git -H editor config/gitlab.yml
See Initial OmniAuth Configuration for initial settings.
-
Add the provider configuration.
For Omnibus GitLab:
gitlab_rails['omniauth_providers'] = [ { 'name' => 'openid_connect', 'label' => '<your_oidc_label>', 'icon' => '<custom_provider_icon>', 'args' => { 'name' => 'openid_connect', 'scope' => ['openid','profile'], 'response_type' => 'code', 'issuer' => '<your_oidc_url>', 'discovery' => true, 'client_auth_method' => 'query', 'uid_field' => '<uid_field>', 'send_scope_to_token_endpoint' => 'false', 'client_options' => { 'identifier' => '<your_oidc_client_id>', 'secret' => '<your_oidc_client_secret>', 'redirect_uri' => '<your_gitlab_url>/users/auth/openid_connect/callback' } } } ]
For installation from source:
- { name: 'openid_connect', label: '<your_oidc_label>', icon: '<custom_provider_icon>', args: { name: 'openid_connect', scope: ['openid','profile'], response_type: 'code', issuer: '<your_oidc_url>', discovery: true, client_auth_method: 'query', uid_field: '<uid_field>', send_scope_to_token_endpoint: false, client_options: { identifier: '<your_oidc_client_id>', secret: '<your_oidc_client_secret>', redirect_uri: '<your_gitlab_url>/users/auth/openid_connect/callback' } } }
NOTE: Note: For more information on each configuration option refer to the OmniAuth OpenID Connect usage documentation and the OpenID Connect Core 1.0 specification.
-
For the configuration above, change the values for the provider to match your OpenID Connect client setup. Use the following as a guide:
-
<your_oidc_label>
is the label that will be displayed on the login page. -
<custom_provider_icon>
(optional) is the icon that will be displayed on the login page. Icons for the major social login platforms are built-in into GitLab, but can be overridden by specifying this parameter. Both local paths and absolute URLs are accepted. -
<your_oidc_url>
(optional) is the URL that points to the OpenID Connect provider. For example,https://example.com/auth/realms/your-realm
. If this value is not provided, the URL is constructed from theclient_options
in the following format:<client_options.scheme>://<client_options.host>:<client_options.port>
. - If
discovery
is set totrue
, the OpenID Connect provider will try to auto discover the client options using<your_oidc_url>/.well-known/openid-configuration
. Defaults tofalse
. -
client_auth_method
(optional) specifies the method used for authenticating the client with the OpenID Connect provider.- Supported values are:
-
basic
- HTTP Basic Authentication -
jwt_bearer
- JWT based authentication (private key and client secret signing) -
mtls
- Mutual TLS or X.509 certificate validation - Any other value will POST the client ID and secret in the request body
-
- If not specified, defaults to
basic
.
- Supported values are:
-
<uid_field>
(optional) is the field name from theuser_info.raw_attributes
details that will be used asuid
value. For example,preferred_username
. If this value is not provided or the field with the configured value is missing from theuser_info.raw_attributes
details, theuid
will use thesub
field. -
send_scope_to_token_endpoint
istrue
by default. In other words, thescope
parameter is normally included in requests to the token endpoint. However, if your OpenID Connect provider does not accept thescope
parameter in such requests, set this tofalse
. -
client_options
are the OpenID Connect client-specific options. Specifically:-
identifier
is the client identifier as configured in the OpenID Connect service provider. -
secret
is the client secret as configured in the OpenID Connect service provider. -
redirect_uri
is the GitLab URL to redirect the user to after successful login. For example,http://example.com/users/auth/openid_connect/callback
. -
end_session_endpoint
(optional) is the URL to the endpoint that end the session (logout). Can be provided if auto-discovery disabled or unsuccessful. - The following
client_options
are optional unless auto-discovery is disabled or unsuccessful:-
authorization_endpoint
is the URL to the endpoint that authorizes the end user. -
token_endpoint
is the URL to the endpoint that provides Access Token. -
userinfo_endpoint
is the URL to the endpoint that provides the user information. -
jwks_uri
is the URL to the endpoint where the Token signer publishes its keys.
-
-
-
-
Save the configuration file.
-
Reconfigure or restart GitLab for the changes to take effect if you installed GitLab via Omnibus or from source respectively.
On the sign in page, there should now be an OpenID Connect icon below the regular sign in form. Click the icon to begin the authentication process. The OpenID Connect provider will ask the user to sign in and authorize the GitLab application (if confirmation required by the client). If everything goes well, the user will be redirected to GitLab and will be signed in.
Example configurations
The following configurations illustrate how to set up OpenID with different providers with Omnibus GitLab.
See the Google documentation for more details:
gitlab_rails['omniauth_providers'] = [
{
'name' => 'openid_connect',
'label' => 'Google OpenID',
'args' => {
'name' => 'openid_connect',
'scope' => ['openid', 'profile', 'email'],
'response_type' => 'code',
'issuer' => 'https://accounts.google.com',
'client_auth_method' => 'query',
'discovery' => true,
'uid_field' => 'preferred_username',
'client_options' => {
'identifier' => '<YOUR PROJECT CLIENT ID>',
'secret' => '<YOUR PROJECT CLIENT SECRET>',
'redirect_uri' => 'https://example.com/users/auth/openid_connect/callback',
}
}
}
Troubleshooting
If you're having trouble, here are some tips:
-
Ensure
discovery
is set totrue
. Setting it tofalse
requires specifying all the URLs and keys required to make OpenID work. -
Check your system clock to ensure the time is synchronized properly.
-
As mentioned in the documentation, make sure
issuer
corresponds to the base URL of the Discovery URL. For example,https://accounts.google.com
is used for the URLhttps://accounts.google.com/.well-known/openid-configuration
. -
The OpenID Connect client uses HTTP Basic Authentication to send the OAuth2 access token if
client_auth_method
is not defined or if set tobasic
. If you are seeing 401 errors upon retrieving theuserinfo
endpoint, you may want to check your OpenID Web server configuration. For example, for oauth2-server-php, you may need to add a configuration parameter to Apache.