Problem to solve
I am setting up a new omniauth-provider for our local gitlab-instance.
We are running an omnibus setup on centos7, current gitlab-version is 16.11.3
The existing users have all signed up using an OAuth2Generic-provider that we get from a company in our sector
To enable us to add different policies, I have tested setting up OpenIDConnect with AzureOIDC/EntraID. The configuration seems to work as intended. Users are able to use it to authenticate, sign up and to log in to the accounts they create.
The issue I’m having, is that existing users that signed up with the existing provider are not able to sign in with the new one, even though their emails match. They are redirected to the cute 422-message.
From OmniAuth | GitLab,
gitlab_rails['omniauth_auto_link_user'] = ["openid_connect", "oauth2_generic"]
seems to be the setting we want.
I have enabled that for our providers, but we still get the 422-error for existing users.
We can make the users add the new provider to their account manually, but it would be a lot easier if I got this working as it seems to be intended.
A related question is if we can enforce the activation of the second provider for all users, somehow?
I was not able to find anything in the docs, other than updating it on a user-by-user basis through the GUI or resetting the authentication-details for one user in the database.
Configuration
gitlab_rails['omniauth_enabled'] = 'true'
gitlab_rails['omniauth_allow_single_sign_on'] = "['oauth2_generic', 'openid_connect']"
gitlab_rails['omniauth_auto_sign_in_with_provider'] = ""
gitlab_rails['omniauth_sync_profile_from_provider'] = ["openid_connect", "oauth2_generic"]
gitlab_rails['omniauth_sync_profile_attributes'] = [ 'name', 'email' ]
gitlab_rails['omniauth_auto_link_user'] = "['oauth2_generic', 'openid_connect']"
gitlab_rails['omniauth_providers'] = [
{
'name' => 'oauth2_generic',
'label' => '<label>',
'app_id' => '<id>,
'app_secret' => '<secret>',
'args' => {
'client_options': {
'site' => '<url-to-auth-api>',
'authorize_url' => '<auth-url>,
'token_url' => '<token-url>',
'user_info_url' => '<info-url>'
},
'user_response_structure': {
'root_path': ['user'],
'id_path': 'userid',
'attributes': {
'name': 'name',
'email': 'email'
}
},
name: '<label>',
strategy_class: 'OmniAuth::Strategies::OAuth2Generic'
}
},
{
'name' => 'openid_connect',
'label' => 'Azure OIDC',
'args' => {
'name' => 'openid_connect',
'scope'=> ['openid', 'profile', 'email'],
'strategy_class': 'OmniAuth::Strategies::OpenIDConnect',
'response_type' => 'code',
'issuer' => '<issuer>',
'client_auth_method' => 'query',
'discovery' => true,
'uid_field' => 'preferred_username',
'pkce' => true,
'client_options': {
'identifier' => '<id>',
'secret' => '<secret>',
'redirect_uri' => '<local-gitlab.org/users/auth/openid_connect/callback>'
},
}
}
]
Versions
Please select whether options apply, and add the version information.
- Self-managed
- GitLab.com SaaS
Versions
- 16.11.3