Omniauth + Gitlab API with Oauth2 token

Hi Ershad,

Sure !

On keycloak side, I’ve created a ‘gitlab’ client into a realm, with the following settings :

Cliend ID = gitlab
Enabled = ON
Consent Required = OFF
Client Protocol = openid-connect
Access Type = confidential
Standard Flow Enabled = ON
Implicit Flow Enabled = OFF
Direct Access Grants Enabled = OFF
Service Accounts Enabled = ON
Authorization Enabled = ON

Valid Redirect URIs = http://gitlab.local/users/auth/oauth2_generic/callback
Base URL = http://gitlab.local/

In the “Credentials” view :

Client Authenticator = Client Id and Secret
Secret = mysecret

gitlab.rb :

### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
  {
    'name' => 'oauth2_generic',
    'app_id' => 'gitlab',
    'app_secret' => 'mysecret',
    'args' => {
      client_options: {
        'site' => 'http://keycloak.local', # including port if necessary
        'authorize_url' => '/auth/realms/myrealm/protocol/openid-connect/auth',
        'user_info_url' => '/auth/realms/myrealm/protocol/openid-connect/userinfo',
        'token_url' => '/auth/realms/myrealm/protocol/openid-connect/token'
      },
      user_response_structure: {
        #root_path: ['user'], # i.e. if attributes are returned in JsonAPI format (in a 'user' node nested under a 'data' node)
        attributes: { email:'email', first_name:'given_name', last_name:'family_name', name:'name', nickname:'preferred_username' }, # if the nickname attribute of a user is called 'username'
        id_path: 'preferred_username'
      },
      # optionally, you can add the following two lines to "white label" the display name
      # of this strategy (appears in urls and Gitlab login buttons)
      # If you do this, you must also replace oauth2_generic, everywhere it appears above, with the new name. 
      #name: 'Satorix', # display name for this strategy
      #strategy_class: "OmniAuth::Strategies::OAuth2Generic" # Devise-specific config option Gitlab uses to find renamed strategy
    }
  }
]

Don’t forget to run “gitlab-ctl reconfigure” to take this into effect.