Cannot get azure_oauth2 to work right


I am trying to set up the OmniAuth Azure integration in Gitlab, and I can’t get it to work right.

I followed all the steps in and added the follwing configuration in gitlab.rb:

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['azure_oauth2']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
    "name" => "azure_oauth2",
    "args" => {
            "client_id" => "[REDACTED]",
            "client_secret" => "[REDACTED]",
            "tenant_id" => "[REDACTED]"

The login screen now shows a Windows/Azure icon and if I click it, I am redirected to the Azure AD login page. When I log in, Azure asks me if it’s OK for Gitlab to access my user profile. I click ‘OK’, and I get redirected back to Gitlab. So far, so good. I can see that my browser is accessing the OAuth callback URL, which I have set to


This request returns a 302 redirect back to https://gitlab.mydomain/users/sign_in. I am not logged in and no user has been created in Gitlab. Nothing related is logged in production.log.

So it seems the basic OAuth mechanism works as it should, except Gitlab doesn’t create a user and log it in. I am out of ideas of where to look.

BTW, if I set

gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'azure_oauth2'

I end up in a redirect loop, but that sounds kind of logical considering that logging in doesn’t work.

Any ideas about what could be wrong with my configuration?

Best regards,

With another oauth method, we had to specify the id_path so the reply could be read correctly (see Oauth2 authentication logs no extern_uid ). Not sure what happens here. But for tracking: the login info is logged into the application.log file, so that might help finding related log messages.

Thanks for your response. I found your earlier post when looking for answers the other day. I didn’t think it was relevant, because I’m not using a generic provider, but the built-in Azure support. I assumed that it would have the correct settings for reading and handling the response. Maybe I should dive into that a little deeper.

In any case, nothing at all is logged in application.log regarding OAuth login attempts.