GitLab SaaS acting as OIDC IdP: auth works with existing GitLab session, but does not work when signing in

Hi! I have the following situation: a client application with OIDC provided by AWS Cognito, which in turn uses GitLab as an OIDC IdP. Authentication through GitLab works when the user has an existing GitLab session, but fails with a 502 Bad Request when the user has to sign into GitLab.

Detailed layers:

  • GitLab acting as an OIDC IdP. User application created with openid, email, profile scopes. confidential is checked. Callback url is the AWS Cognito page.
  • AWS Cognito user pool with the GitLab user application registered as an IdP.
  • Downstream oauth2-proxy client app configured with AWS Cognito user pool as OIDC issuer.

My expected signin flow:

  • User hits oauth2-proxy app, is redirected to Cognito login page.
  • User clicks “sign in with GitLab” and is redirected to GitLab login page.
  • User auths with GitLab, and bubbles back up to downstream app.

This works as expected if the user has an active GitLab session. But if the user has no GitLab session and needs to sign into GitLab, they get a 502 Bad Gateway right after signing in, on the GitLab /users/sign_in URL.

Has anyone experienced this situation before? Any idea how to proceed? I can’t think of a way to debug the flow without access to GitLab’s logs.