Gitlab login via reverse proxy

Hi, Community

I’m pretty stuck and do not even know how to find a good title of my question.
Can I use Gitlab CE behind some portal handling all authentication which integrates gitlab as a reverse proxy? The user accessing gitlab would be already known to gitlab and gitlab would receive username via header from the portal but gitlab would need to fully trust this portal and not ask for any further authentication from the user.

So an upcomming git request would look like this:
git → portal → gitlab
The portal would handle the authentication from the git request and passing it to gitlab which fully trusts the portal and handling the request. So unlike SAML where a git clone via HTTPS requires an access token and the request directly goes to gitlab, gitlab would hide behind the portal.

Is there anything like it I’m trying to achieve?

Hi @CozyRob

I suppose it could work if you have same user base in portal and gitlab. Then your users will set his/her Personal Access token in portal. And the portal will impersonate the user using his/her PAT while communicating with GitLab.

Another option would be to use OAuth - OAuth 2.0 identity provider API | GitLab

1 Like

Hi @balonik
thanks for your answer.

  1. Option sounds possible with 1-2 options in my mind
  2. Option would work kinda like saml, gitlab has to be available with direct access to the client and not hidden behind portal. Further, if I’m correct, a git pull/push with OAuth would also need an access token (not Oauth token) from gitlab user or project directly.

Comming back to that task…

  1. Option is not possible because the access token cant be used to login, its only for api access, so clone and push would work

At this point i think this is not possible because gitlab doesnt support this use case