I want to use openid connect to login gitlab, I can post the correct url to openid connect provider and get the code back, however, then the 500 error happend.
==> /var/log/gitlab/gitlab-workhorse/current <== {"correlation_id":"FT8dVCGXg92","duration_ms":231,"host":"192.168.1.2:8081","level":"info","method":"GET","msg":"access","proto":"HTTP/1.1","referrer":"","remote_addr":"127.0.0.1:0","remote_ip":"127.0.0.1","status":500,"system":"http","time":"2019-09-06T14:46:56+08:00","uri":"/users/auth/openid_connect/callback?state=205d1***********bcfa56a\u0026code=1effd7a9b82d4*******44c44321cea","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36","written_bytes":2926}
==> /var/log/gitlab/nginx/gitlab_access.log <==
10.240.173.74 - - [06/Sep/2019:14:46:56 +0800] "GET
/users/auth/openid_connect/callback?state=205d17efc*******8babcfa56a&code=1effd7a*********321cea HTTP/1.1" 500 2926 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36"
==> /var/log/gitlab/gitlab-rails/production.log <==
Started GET "/users/auth/openid_connect/callback?state=205d17efcd***********abcfa56a&code=[FILTERED]" for 10.240.173.74 at 2019-09-06 14:46:55 +0800
JSON::JWK::Set::KidNotFound (JSON::JWK::Set::KidNotFound):
lib/gitlab/middleware/multipart.rb:103:in `call'
lib/gitlab/request_profiler/middleware.rb:17:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:13:in `call'
lib/gitlab/middleware/correlation_id.rb:16:in `block in call'
lib/gitlab/middleware/correlation_id.rb:15:in `call'
lib/gitlab/middleware/read_only/controller.rb:40:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/request_context.rb:26:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:29:in `call'
lib/gitlab/middleware/release_env.rb:12:in `call'
the config of omniauth openid-connect as below:
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_providers'] = [
{
"name" => "openid_connect",
"label" => "test",
"args" => {
"name" => "openid_connect",
"scope" => ['openid', 'nickname', 'email', 'fullname'],
"response_type" => "code",
"issuer" => "OpenID Connect provider Url",
"discovery"=> true,
"client_auth_method" => "query",
"client_options" => {
"identifier" => "576**********dfd84",
"secret" => "7e22d33**********5dfd84",
"redirect_uri" => "http://192.168.1.2:8081/users/auth/openid_connect/callback",
}
}
}
]
It looks like JWK work wrong, but I don’t know why.
Ominibus gitlab run in docker and the version of gitlab is:
System:
Current User: git
Using RVM: no
Ruby Version: 2.6.3p62
Gem Version: 2.7.9
Bundler Version:1.17.3
Rake Version: 12.3.2
Redis Version: 3.2.12
Git Version: 2.22.0
Sidekiq Version:5.2.7
Go Version: unknown
GitLab information
Version: 12.2.3
Revision: 13598699b0a
DB Adapter: PostgreSQL
DB Version: 10.9
Using LDAP: no
Using Omniauth: yes
Omniauth Providers: openid_connect