Here is my problem:
I’m trying to link my Gitlab server with my Keycloak server so I can connect in single sign-on.
With the documentation of the official Gitlab website, I have configured the gitlab.rb file.
I had a first problem that I solved by disabling the “discovery” parameter. I changed it to “false”.
Now I can access the authentication page of my SSO server, but when I enter my credentials, the error 500 appears : “Whoops, something went wrong on your end”.
When I go to the “production.log” I discover the following errors:
SSLError (self signed certificate)
or
ArgumentError (request URI must have schema. possibly add “http://”)
I’m seeing the same problem with ArgumentError (not the SSLError). I’m on the latest GitLab version with an Omnibus installation and the full log looks like this:
Started POST "/users/auth/openid_connect" for 1.2.3.37 at 2022-08-15 16:10:24 +0200
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
Parameters: {"authenticity_token"=>"[FILTERED]"}
Completed 200 OK in 0ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 184)
Started GET "/users/auth/openid_connect/callback?code=[FILTERED]&state=3ef8a5660be9cf9aaf21a9d74937819e" for 1.2.3.37 at 2022-08-15 16:10:24 +0200
ArgumentError (Request URI must have schema. Possibly add 'http://' to the request URI?):
lib/gitlab/middleware/memory_report.rb:13:in `call'
lib/gitlab/middleware/speedscope.rb:13:in `call'
lib/gitlab/database/load_balancing/rack_middleware.rb:23:in `call'
lib/gitlab/jira/middleware.rb:19:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:21:in `call'
lib/gitlab/middleware/query_analyzer.rb:11:in `block in call'
lib/gitlab/database/query_analyzer.rb:37:in `within'
lib/gitlab/middleware/query_analyzer.rb:11:in `call'
lib/gitlab/middleware/multipart.rb:173:in `call'
lib/gitlab/middleware/read_only/controller.rb:50:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/same_site_cookies.rb:27:in `call'
lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'
lib/gitlab/middleware/request_context.rb:21:in `call'
lib/gitlab/middleware/webhook_recursion_detection.rb:15:in `call'
config/initializers/fix_local_cache_middleware.rb:11:in `call'
lib/gitlab/middleware/compressed_json.rb:26:in `call'
lib/gitlab/middleware/rack_multipart_tempfile_factory.rb:19:in `call'
lib/gitlab/middleware/sidekiq_web_static.rb:20:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:77:in `call'
lib/gitlab/middleware/release_env.rb:13:in `call'
The remote server first receives a GET request /oauth/authorize?client_id=[REDACTED]&nonce=[REDACTED]&redirect_uri=https%3A%2F%2Fgitlab.example.com%2Fusers%2Fauth%2Fopenid_connect%2Fcallback&response_type=code&scope=openid%20profile%20email&state=5016e686e867ae966f1696dd483d8ff3 and responds with a 302, then it receives a POST request to /oauth/token where it responds with a 200. In both cases, it’s completely happy with all the arguments and has no warnings or errors in its log.
But the GitLab server somehow struggles with a request that seems to be missing the schema, although the schema is available in the redirect argument.