Hi, we’re currently running 11.4.0-ee, and have configured OmniAuth to allow for authentication using our Google Apps for Business accounts. This works perfectly for our organisation users, however, we do not have the facility to allow external users to authenticate using their email addresses.
According to the OmniAuth documentation (https://docs.gitlab.com/ce/integration/omniauth.html) “Configuring OmniAuth does not prevent standard GitLab authentication or LDAP (if configured) from continuing to work. Users can choose to sign in using any of the configured mechanisms.” However, when accessing out GitLab website, any user who has not already authenticated with the browser using a valid domain Google account is presented with a 403 error, org_internal. If we change the Google API Oauth consent screen authentication type to public (from internal) we get presented with the option to login with a different Google account but this is not the functionality we require (and, in fact, doesn’t work in any case with a “too many redirects” error - but that is a separate matter). There does not appear to be any mechanism to allow for authentication using GitLab’s internal user credential database when OmniAuth is enabled despite documentation to contrary.
Our OmniAuth settings in /etc/gitlab/gitlab.rb are:
OmniAuth Settings
###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html
gitlab_rails[‘omniauth_enabled’] = true
gitlab_rails[‘omniauth_allow_single_sign_on’] = [‘google_oauth2’]
# gitlab_rails[‘omniauth_sync_email_from_provider’] = ‘saml’
# gitlab_rails[‘omniauth_sync_profile_from_provider’] = [‘saml’]
# gitlab_rails[‘omniauth_sync_profile_attributes’] = [‘email’]
# gitlab_rails[‘omniauth_auto_sign_in_with_provider’] = ‘google_oauth2’
gitlab_rails[‘omniauth_block_auto_created_users’] = false
# gitlab_rails[‘omniauth_auto_link_ldap_user’] = false
# gitlab_rails[‘omniauth_auto_link_saml_user’] = true
# gitlab_rails[‘omniauth_external_providers’] = [‘google_oauth2’]
gitlab_rails[‘omniauth_providers’] = [
{
“name” => “google_oauth2”,
“app_id” => “[REDACTED]”,
“app_secret” => “[REDACTED]”,
“args” => { “access_type” => “offline”, “approval_prompt” => “” }
}
]
I note that there was a similar question in April 2017, but there were no apparent responses.
Has anyone encountered a similar issue and has been able to solve the problem?
Thanks in advance.