Intro / Background
I have a setup of Keycloak (OIDC Provider) and GitLab (authentication via OIDC) which works just fine. Users can sign-in as soon as their account has been created in Keycloak. But now, when the user uploads an ssh-public key in GitLab, he can even use his account, and push to repositories although he was disabled / deleted in Keycloak.
For me this behavior is rather strange and leads to security issues (I have to disable Accounts in two Places, Keycloak and GitLab).
Here the relevant questions
- Is there any setting in GitLab where I can force that the external OIDC provider is always queried if the User that wants to interact with a repository has not been disabled or deleted?
- If this is not possible, will switching to SAML Authentication prevent that issue?
Additional Information to the setup
- GitLab is running via the official docker image, currently in version 13.5.4-ce.0
- the docker-compose file which starts gitlab, also contains our custom config regarding the ‘openid_connect’ ominauth_provider
- Keycloak is also running as docker image in version 11.0.3
Thank you for your help!