As user can choose to use an external identity-provider in his profile like this:
The very same thing can be done by an administrator inside the Gitlab admin GUI like this:
Now i’m trying to do the same thing via REST-API and this is where i currently fail. I know this should be possible using the “sudo” right and i also created a special API user within Gitlab having all those rights, from which i use the token:
I’m using “Postman” to test this and this is what it shows as a curl-request
curl --location --request PUT 'https://gitlab.internal.net/api/v4/users/68' \
--header 'Sudo: testuser' \
--header 'PRIVATE-TOKEN: **************************' \
--header 'Content-Type: application/json' \
--data-raw '{
"identities": [
{
"provider": "openid_connect",
"extern_uid": "testuser"
}
]
}'
But this call give back a 403:
{
"message": "403 Forbidden"
}
Ok, after a few hours of reading and testing i finally got it solved! 
- mistake) The user who needs to be named in the header-field “Sudo” is not the user in question, but the API-user where one also give the access-token (private_token) for. This is why i got the “403”, as i put my user in question (“testuser”) in the sudo statement, but this user is not allowed to sudo.
Im my case, the API user is called “rest-api” and the user in question is named “testuser”, so i corrected the API call:
--header 'Sudo: rest-api' \
This means that even if i connect with an API-user having high access, the users properties are limited and i need to gain an extra level of security by telling to “sudo” this API user (make him a super-user).
- mistake) When changing the identity provider settings, it is only possible to add one at a time, and so the params “provider” and “extern_uid” is to be named as singletons, not an array. So i changed my payload to:
{
"provider": "openid_connect",
"extern_uid": "testuser"
}
After send this via API, the user has added to use OpenID-Connect profile for authentication.
