Gitlab + Omniauth to login Keycloak, return "You need to sign in or sign up before continuing."

I am configuring my Gitlab instance with Omniauth to use a Keycloak server as an Oauth2 provider
after inputing username/pwd on keycloak and redirect back to gitlab.
the git lab UI show “You need to sign in or sign up before continuing.”

the gitlab.rb:
gitlab_rails[‘omniauth_allow_single_sign_on’] = [‘saml’,‘oauth2’]
gitlab_rails[‘omniauth_block_auto_created_users’] = false
{
‘name’ => ‘oauth2’,
‘app_id’ => ‘gitlab_oauth’,
‘app_secret’ => ‘****’,
‘args’ => {
‘client_options’: {
‘site’ => ‘https://keycloak.willy.com:8443’,
‘user_info_url’ => ‘/auth/realms/pangu/protocol/openid-connect/userinfo’,
‘authorize_url’ => ‘/auth/realms/pangu/protocol/openid-connect/auth’,
‘token’ => ‘/auth/realms/test/protocol/openid-connect/token’
},
‘user_response_structure’:{
attribue: { nickname: ‘preferred_username’},
id_path:‘preferred_username’
},
‘name’: ‘oauth’,
‘strategy_class’: ‘OmniAuth::Strategies::OAuth2Generic’,
‘redirect_url’: ‘https://gitlab.willy.com/users/auth/oauth2_generic/callback
}

}

  1. I can see the oauth button on the index. click it, the page will redirect to keycloak
  2. input user credential on keycloak. click login
  3. the web will redirect back to gitlab
  4. UI show: You need to sign in or sign up before continuing.
  5. the production log:

Redirected to https://gitlab.willy.com/users/sign_in
Filter chain halted as :redirect_unlogged_user rendered or redirected
Completed 302 Found in 27ms (ActiveRecord: 0.7ms | Elasticsearch: 0.0ms)
Started GET “/users/sign_in” for 172.16.106.91 at 2020-01-14 10:37:08 +0000
Processing by SessionsController#new as HTML
Completed 200 OK in 647ms (Views: 275.4ms | ActiveRecord: 17.4ms | Elasticsearch: 0.0ms)
Started POST “/users/auth/oauth” for 172.16.106.91 at 2020-01-14 10:37:13 +0000
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
Parameters: {“authenticity_token”=>"[FILTERED]"}
Completed 200 OK in 1ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms)
Started GET “/-/metrics” for 127.0.0.1 at 2020-01-14 10:37:17 +0000
Processing by MetricsController#index as HTML
Completed 200 OK in 6ms (Views: 0.4ms | ActiveRecord: 0.0ms | Elasticsearch: 0.0ms)
Started GET “/users/auth/oauth2_generic/callback?state=d5834a26d8c58d1d68a0e193e885c6919c632ddb7b974e06&session_state=767c9018-8f8d-4bf6-a8d0-64546e3b308c&code=[FILTERED]” for 172.16.106.91 at 2020-01-14 10:37:20 +0000
Processing by ApplicationController#route_not_found as HTML
Parameters: {“state”=>“d5834a26d8c58d1d68a0e193e885c6919c632ddb7b974e06”, “session_state”=>“767c9018-8f8d-4bf6-a8d0-64546e3b308c”, “code”=>"[FILTERED]", “unmatched_route”=>“users/auth/oauth2_generic/callback”}
Redirected to https://gitlab.willy.com/users/sign_in
Completed 302 Found in 270ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms)
Started GET “/users/sign_in” for 172.16.106.91 at 2020-01-14 10:37:20 +0000
Processing by SessionsController#new as HTML
Completed 200 OK in 29ms (Views: 19.5ms | ActiveRecord: 1.3ms | Elasticsearch: 0.0ms)