How to grant users admin rights when logging in via Keycloak OIDC?


we have successfully connected Gitlab to a keycloak instance via OIDC. The users are able to login to gitlab via the keycloak SSO. Now, we are facing the following challenge: Based on the group membership in Keycloak, the users should get granted administrative access to the gitlab instance. We are completely lost here, since the documentation is not so descriptive.
What we tried so far:

  • We created a groups mapper in keycloak. Name: groups, Token Claim Name: groups, Mapper Type: User Realm Role.
  • We edited the OIDC connection definition in gitlab by adding a key groups: groups to the user_response_structure.
    And now we’re here.

Unfortunately the usual google results are mostly showing settings for SAML connection from gitlab to SSO - but we want OIDC. For OIDC the results are mostly showing the usage of Gitlab as the identity provider - but it should utilize the keycloak as the identity provider.

There seem to be other posts in this forum where people have similar problems, unfortunately none of them have good solutions, or answers at all.

Any help would be appreciated. Thanks.

1 Like

@ simonszu Were you able to solve this issue? We are facing the same issue currently.
The settings related to oidc in my gitlab.rb file are as follows.
oidc idp is a keycloak.

My gitlab version is gitlab-ce 15.9.2-ce .

ref docs : OpenID Connect OmniAuth provider


gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [{
     'name' => 'openid_connect',
     'label' => 'Keycloak',
     'args' => {
       'name' => 'openid_connect',
       'scope' => ['openid','profile','email'],
       'response_type' => 'code',
       'issuer' =>  '{KEYCLOAK-URL}/realms/{KEYCLOAK-REALM}',
       'discovery' => false,
       'uid_field' => 'preferred_username',
       'client_auth_method' => 'query',
       'send_scope_to_token_endpoint' => false,
        client_options: {
                'identifier' => 'gitlab',
                'secret' => 'ew3I5ItdSW0sTWw6HUuf6yg5r802QgxO',
                'redirect_uri' => '{GITLAB-URL}/users/auth/openid_connect/callback',
                'authorization_endpoint' =>  '{KEYCLOAK-URL}/realms/{KEYCLOAK-REALM}/protocol/openid-connect/auth',
                'token_endpoint' =>  '{KEYCLOAK-URL}/realms/{KEYCLOAK-REALM}/protocol/openid-connect/token',
                'userinfo_endpoint' =>  '{KEYCLOAK-URL}/realms/{KEYCLOAK-REALM}/protocol/openid-connect/userinfo',
                'jwks_uri' => '{KEYCLOAK-URL}/realms/{KEYCLOAK-REALM}/protocol/openid-connect/certs',
                gitlab: {
                  groups_attribute: 'groups',
                  admin_groups: ["Admins"]

This feature is released on 15.10 and is a premium feature. It is not available in Community Edition now