ContextQMD
Back to Authelia

GitLab

docs/content/integration/openid-connect/clients/gitlab/index.md

4.39.194.4 KB
Original Source

Tested Versions

{{% oidc-common %}}

Assumptions

This example makes the following assumptions:

  • Application Root URL: https://gitlab.{{< sitevar name="domain" nojs="example.com" >}}/
  • Authelia Root URL: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/
  • Client ID: gitlab
  • Client Secret: insecure_secret

Some of the values presented in this guide can automatically be replaced with documentation variables.

{{< sitevar-preferences >}}

Configuration

Authelia

{{< callout context="caution" title="Important Note" icon="outline/alert-triangle" >}} This configuration assumes you've configured the client_auth_method in GitLab as per below. If you have not done this, the default in GitLab will require the token_endpoint_auth_method changes to client_secret_post. {{< /callout >}}

The following YAML configuration is an example Authelia client configuration for use with GitLab which will operate with the application example:

yaml
identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    clients:
      - client_id: 'gitlab'
        client_name: 'GitLab'
        client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
        public: false
        authorization_policy: 'two_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://gitlab.{{< sitevar name="domain" nojs="example.com" >}}/users/auth/openid_connect/callback'
        scopes:
          - 'openid'
          - 'profile'
          - 'groups'
          - 'email'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'

Application

To configure GitLab there is one method, using the Configuration File.

Configuration File

{{< callout context="tip" title="Did you know?" icon="outline/rocket" >}} Generally the configuration file is named gitlab.rb. {{< /callout >}}

To configure GitLab to utilize Authelia as an OpenID Connect 1.0 Provider, use the following configuration:

ruby
gitlab_rails['omniauth_providers'] = [
  {
    name: "openid_connect",
    label: "Authelia",
    icon: "https://www.authelia.com/images/branding/logo-cropped.png",
    args: {
      name: "openid_connect",
      strategy_class: "OmniAuth::Strategies::OpenIDConnect",
      issuer: "https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}",
      discovery: true,
      scope: ["openid","profile","email","groups"],
      client_auth_method: "basic",
      response_type: "code",
      response_mode: "query",
      uid_field: "preferred_username",
      send_scope_to_token_endpoint: true,
      pkce: true,
      client_options: {
        identifier: "gitlab",
        secret: "insecure_secret",
        redirect_uri: "https://gitlab.{{< sitevar name="domain" nojs="example.com" >}}/users/auth/openid_connect/callback"
      }
    }
  }
]

Groups

GitLab offers group mapping options with OpenID Connect 1.0, shamefully it's only for paid plans. However see the guide on how to configure it on their end.

Alternatively if GitLab is associated with LDAP you can use that as a group source, and you can configure a policy on Authelia to restrict which resource owners are allowed access to the client for free via a custom authorization_policy value.

See Also