Omniauth + Gitlab API with Oauth2 token

kwent7 · August 24, 2017, 10:05am

Hello,

I’ve configured my Gitlab instance with Omniauth to use a Keycloak server as an Oauth2 provider. This is working fine, users can log in to Gitlab with their Keycloak account.

In addition, I’d like to use the Gitlab API with an OAuth2 token to authenticate, for instance : curl --header “Authorization: Bearer OAUTH-TOKEN” https://gitlab.example.com/api/v4/projects

Actually, I can use an access token provided by my Gitlab instance, as described in the following documentation : https://docs.gitlab.com/ce/api/oauth2.html

In my configuration, is there a way to use the Gitlab API with an OAuth2 access token provided by my Keycloak server ?

ershad.ahmad · December 27, 2017, 8:40pm

HI @kwent7

I am attamepting a simillar setup, could you please share the setting you had done on both sides Gitlab and Keycloak.

gitlab.rb
keycloak.

Thank you

kwent7 · January 3, 2018, 10:01am

Hi Ershad,

Sure !

On keycloak side, I’ve created a ‘gitlab’ client into a realm, with the following settings :

Cliend ID = gitlab
Enabled = ON
Consent Required = OFF
Client Protocol = openid-connect
Access Type = confidential
Standard Flow Enabled = ON
Implicit Flow Enabled = OFF
Direct Access Grants Enabled = OFF
Service Accounts Enabled = ON
Authorization Enabled = ON

Valid Redirect URIs = http://gitlab.local/users/auth/oauth2_generic/callback
Base URL = http://gitlab.local/

In the “Credentials” view :

Client Authenticator = Client Id and Secret
Secret = mysecret

gitlab.rb :

### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
  {
    'name' => 'oauth2_generic',
    'app_id' => 'gitlab',
    'app_secret' => 'mysecret',
    'args' => {
      client_options: {
        'site' => 'http://keycloak.local', # including port if necessary
        'authorize_url' => '/auth/realms/myrealm/protocol/openid-connect/auth',
        'user_info_url' => '/auth/realms/myrealm/protocol/openid-connect/userinfo',
        'token_url' => '/auth/realms/myrealm/protocol/openid-connect/token'
      },
      user_response_structure: {
        #root_path: ['user'], # i.e. if attributes are returned in JsonAPI format (in a 'user' node nested under a 'data' node)
        attributes: { email:'email', first_name:'given_name', last_name:'family_name', name:'name', nickname:'preferred_username' }, # if the nickname attribute of a user is called 'username'
        id_path: 'preferred_username'
      },
      # optionally, you can add the following two lines to "white label" the display name
      # of this strategy (appears in urls and Gitlab login buttons)
      # If you do this, you must also replace oauth2_generic, everywhere it appears above, with the new name. 
      #name: 'Satorix', # display name for this strategy
      #strategy_class: "OmniAuth::Strategies::OAuth2Generic" # Devise-specific config option Gitlab uses to find renamed strategy
    }
  }
]

Don’t forget to run “gitlab-ctl reconfigure” to take this into effect.

mailbox.wagner · October 9, 2018, 3:44pm

Hi @kwent7,

did you ever find a solution for your problem? We have the same problem, we are using keycloak but cannot call the gitlab-api with access-tokens from keycloak.

mkkeffeler · August 15, 2019, 4:16am

Hi @kwent7 did a solution ever get done on this? We are having the exact same issue with a different Oauth provider. @ershad.ahmad @mailbox.wagner

ElieDeloumeau · June 4, 2021, 2:57pm

Hi @kwent7, did you find a solution?

tstuempfig · February 9, 2022, 12:00am

Hi all,
I would be interested in a solution too.

As an alternative, does gitlab support token exchange with keycloak?

retards
Thomas