Interaction of external OIDC and ssh clone/push


Intro / Background
I have a setup of Keycloak (OIDC Provider) and GitLab (authentication via OIDC) which works just fine. Users can sign-in as soon as their account has been created in Keycloak. But now, when the user uploads an ssh-public key in GitLab, he can even use his account, and push to repositories although he was disabled / deleted in Keycloak.

For me this behavior is rather strange and leads to security issues (I have to disable Accounts in two Places, Keycloak and GitLab).

Here the relevant questions

  • Is there any setting in GitLab where I can force that the external OIDC provider is always queried if the User that wants to interact with a repository has not been disabled or deleted?
  • If this is not possible, will switching to SAML Authentication prevent that issue?

Additional Information to the setup

  • GitLab is running via the official docker image, currently in version 13.5.4-ce.0
  • the docker-compose file which starts gitlab, also contains our custom config regarding the ‘openid_connect’ ominauth_provider
  • Keycloak is also running as docker image in version 11.0.3

Thank you for your help!

Short follow up, I still did not manage to find a solution, can anyone here help?

Coming back to this issue again, I still found no possibility to change this behavior. It would be great if someone else could help.