How to use "sudo" with REST-API to add identity-provider to user?

As user can choose to use an external identity-provider in his profile like this:

The very same thing can be done by an administrator inside the Gitlab admin GUI like this:

Now i’m trying to do the same thing via REST-API and this is where i currently fail. I know this should be possible using the “sudo” right and i also created a special API user within Gitlab having all those rights, from which i use the token:

I’m using “Postman” to test this and this is what it shows as a curl-request

curl --location --request PUT 'https://gitlab.internal.net/api/v4/users/68' \
--header 'Sudo: testuser' \
--header 'PRIVATE-TOKEN: **************************' \
--header 'Content-Type: application/json' \
--data-raw '{
    "identities": [
            {
                "provider": "openid_connect",
                "extern_uid": "testuser"
            }
        ]
}'

But this call give back a 403:

{
    "message": "403 Forbidden"
}

Ok, after a few hours of reading and testing i finally got it solved! :slight_smile:

  1. mistake) The user who needs to be named in the header-field “Sudo” is not the user in question, but the API-user where one also give the access-token (private_token) for. This is why i got the “403”, as i put my user in question (“testuser”) in the sudo statement, but this user is not allowed to sudo.

Im my case, the API user is called “rest-api” and the user in question is named “testuser”, so i corrected the API call:

--header 'Sudo: rest-api' \

This means that even if i connect with an API-user having high access, the users properties are limited and i need to gain an extra level of security by telling to “sudo” this API user (make him a super-user).

  1. mistake) When changing the identity provider settings, it is only possible to add one at a time, and so the params “provider” and “extern_uid” is to be named as singletons, not an array. So i changed my payload to:
{
   "provider": "openid_connect",
   "extern_uid": "testuser"
}

After send this via API, the user has added to use OpenID-Connect profile for authentication.