GitLab Omniauth openid-connect via Keycloak

I am trying to setup OmniAuth via openid-connect using Keycloak.

I can successfully authenticate in Keycloak. When redirecting back to Gitlab, I get the following

I followed the docs on OmniAuth via openid-connect and set the callback url as suggested.

GitLab runs at http://<domain>/gitlab.

Here is the full config

gitlab_rails['omniauth_providers'] = [
          { 'name' => 'openid_connect',
            'label' => 'Keycloak',
            'args' => {
              'name' => 'openid_connect',
              'scope' => ['openid','profile'],
              'response_type' => 'code',
              'issuer' => 'http://<domain>/auth/realms//<realm>',
              'discovery' => false,
              'uid_field' => 'uid',
              'client_auth_method' => 'query',
              'send_scope_to_token_endpoint' => false,
              'client_options' => {
                'identifier' => 'gitlab',
                'secret' => '<secret>',
                'authorization_endpoint' => 'http://<domain>/auth/realms/<realm>/protocol/openid-connect/auth',
                'token_endpoint' => 'http://<domain>/auth/realms/<realm>/protocol/openid-connect/token',
                'userinfo_endpoint' => 'http://<domain>/auth/realms/<realm>/protocol/openid-connect/userinfo',
                'redirect_uri' => 'http://<domain>/gitlab/users/auth/openid_connect/callback'
              }
            }
          }
        ]

In Keycloak I’ve set mappers for the following attributes:

  • “Name”
  • “Email”
  • “Username”

Does anyone have an idea what might be wrong?

I think the Keycloak authentication is fine. Something goes wrong with the GitLab callback handler?

Started POST "/users/auth/openid_connect" for 159.100.253.188 at 2020-10-17 07:25:24 +0000
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
  Parameters: {"authenticity_token"=>"[FILTERED]"}
Completed 200 OK in 1ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 169)
Started GET "/users/auth/openid_connect/callback?state=4e1d5956b6e7e46683632cde9804b370&session_state=aa41a9a4-51bf-4f5f-acf1-135f0bfeb2e4&code=[FILTERED]" for 159.100.253.188 at 2020-10-17 07:25:25 +0000
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"state"=>"4e1d5956b6e7e46683632cde9804b370", "session_state"=>"aa41a9a4-51bf-4f5f-acf1-135f0bfeb2e4", "code"=>"[FILTERED]"}
Redirected to https://<domain>/users/sign_in

To me it looks like the authentication first succeeds and then the “OmniauthCallbacksController” processes the failure page and redirects back to the sign in. However, I see no logs why and what happens.

If I only could see what is in the returned “code” part…

Not sure whether this the problem, you got a duplicate slash in the issuer field. I had problems as well in discovery mode because I firstly had a trailing slash in the issuer field. After I removed it everything worked.

Thanks, this was just a typo when creating the question.

I’ve tried lots of different configs but no success.

OpenID-connect works instantly in Gitea but GitLab seems to be broken?