Using Keycloak as SSO for Gitlab with pre-existing users (no autocreate)

I’ve connected my Gitlab to a Keycloak SSO using the OmniAuth configuration like described here:

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_providers'] = [
  {
    "name" => "keycloak",
    "label" => "Keycloak SSO",
    "args" => {
      "name" => "openid_connect",
      "scope" => ["openid", "profile", "email"],
      "response_type" => "code",
      "issuer" => "https://keycloak.internal.net/auth/realms/internal-realm",
      "client_auth_method" => "query",
      "uid_field" => "uid",
      "discovery" => true,
      "client_options" => {
        "identifier" => "gitlab",
        "secret" => "********************************",
        "redirect_uri" => "https://gitlab.internal.net/users/auth/openid_connect/callback"
      }
    }
  }
]

I’ve got a new button to signin via “Keycloak SSO” as configured and it redirects me to the Keycloak login form. After giving the right credentials of a user within Keycloak (e.g. “testuser”) which also is added as user inside Gitlab, it redirects me back to Gitlabs login form with this errormessage instead:


“Signing in using your Openid Connect account without a pre-existing GitLab account is not allowed.”
How can i debug this? Maybe Keycloak is not giving the desired field where the uid is in? I’ve tried several “uid_field” settings without luck. I think “sub” (the default) is the most wrong one, because it would return the UUID of the users record within Keycloaks database. But even this won’t work as i tried to create such user in Gitlab.

In the production.log of Gitlab i only found these messages after hittin the button in Gitlab:

Started POST "/users/auth/openid_connect" for 10.32.216.93 at 2022-04-05 06:45:38 +0000
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
  Parameters: {"authenticity_token"=>"[FILTERED]"}
Completed 200 OK in 1ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 107)
Started GET "/users/auth/openid_connect/callback?state=76e6dc3bb48a75040b46e74902793baa&session_state=cda703d5-c654-42e1-823f-4aecb368d8b3&code=[FILTERED]" for 10.32.216.93 at 2022-04-05 06:45:38 +0000
Processing by OmniauthCallbacksController#openid_connect as HTML
  Parameters: {"state"=>"76e6dc3bb48a75040b46e74902793baa", "session_state"=>"cda703d5-c654-42e1-823f-4aecb368d8b3", "code"=>"[FILTERED]"}
Redirected to https://gitlab.ippen.media/users/sign_in
Completed 302 Found in 15ms (ActiveRecord: 0.5ms | Elasticsearch: 0.0ms | Allocations: 5887)
Started GET "/users/sign_in" for 10.32.216.93 at 2022-04-05 06:45:38 +0000
Processing by SessionsController#new as HTML
  Rendered layout layouts/devise.html.haml (Duration: 169.5ms | Allocations: 104291)
Completed 200 OK in 196ms (Views: 173.4ms | ActiveRecord: 1.5ms | Elasticsearch: 0.0ms | Allocations: 113984)
Started GET "/api/v4/geo/proxy" for 127.0.0.1 at 2022-04-05 06:45:38 +0000

I’m looking for a way to debug this issue somehow…

AH! It worked, but only if i logged in as the user in question (here my “testuser”) and enable sigin through SSO:

Now is my question how to “prepare” this for users, as i like to pre-create them using the REST-API.

Hi! This may help

gitlab_rails['omniauth_auto_link_user'] = ['openid_connect']

where openid_connect is the name of the omniauth_providers (keycloak in above case)