I’ve configured my Gitlab instance with Omniauth to use a Keycloak server as an Oauth2 provider. This is working fine, users can log in to Gitlab with their Keycloak account.
In addition, I’d like to use the Gitlab API with an OAuth2 token to authenticate, for instance : curl --header “Authorization: Bearer OAUTH-TOKEN” https://gitlab.example.com/api/v4/projects
On keycloak side, I’ve created a ‘gitlab’ client into a realm, with the following settings :
Cliend ID = gitlab
Enabled = ON
Consent Required = OFF
Client Protocol = openid-connect
Access Type = confidential
Standard Flow Enabled = ON
Implicit Flow Enabled = OFF
Direct Access Grants Enabled = OFF
Service Accounts Enabled = ON
Authorization Enabled = ON
Client Authenticator = Client Id and Secret
Secret = mysecret
gitlab.rb :
### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
{
'name' => 'oauth2_generic',
'app_id' => 'gitlab',
'app_secret' => 'mysecret',
'args' => {
client_options: {
'site' => 'http://keycloak.local', # including port if necessary
'authorize_url' => '/auth/realms/myrealm/protocol/openid-connect/auth',
'user_info_url' => '/auth/realms/myrealm/protocol/openid-connect/userinfo',
'token_url' => '/auth/realms/myrealm/protocol/openid-connect/token'
},
user_response_structure: {
#root_path: ['user'], # i.e. if attributes are returned in JsonAPI format (in a 'user' node nested under a 'data' node)
attributes: { email:'email', first_name:'given_name', last_name:'family_name', name:'name', nickname:'preferred_username' }, # if the nickname attribute of a user is called 'username'
id_path: 'preferred_username'
},
# optionally, you can add the following two lines to "white label" the display name
# of this strategy (appears in urls and Gitlab login buttons)
# If you do this, you must also replace oauth2_generic, everywhere it appears above, with the new name.
#name: 'Satorix', # display name for this strategy
#strategy_class: "OmniAuth::Strategies::OAuth2Generic" # Devise-specific config option Gitlab uses to find renamed strategy
}
}
]
Don’t forget to run “gitlab-ctl reconfigure” to take this into effect.
did you ever find a solution for your problem? We have the same problem, we are using keycloak but cannot call the gitlab-api with access-tokens from keycloak.