I’ve connected my Gitlab to a Keycloak SSO using the OmniAuth configuration like described here:
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_providers'] = [
{
"name" => "keycloak",
"label" => "Keycloak SSO",
"args" => {
"name" => "openid_connect",
"scope" => ["openid", "profile", "email"],
"response_type" => "code",
"issuer" => "https://keycloak.internal.net/auth/realms/internal-realm",
"client_auth_method" => "query",
"uid_field" => "uid",
"discovery" => true,
"client_options" => {
"identifier" => "gitlab",
"secret" => "********************************",
"redirect_uri" => "https://gitlab.internal.net/users/auth/openid_connect/callback"
}
}
}
]
I’ve got a new button to signin via “Keycloak SSO” as configured and it redirects me to the Keycloak login form. After giving the right credentials of a user within Keycloak (e.g. “testuser”) which also is added as user inside Gitlab, it redirects me back to Gitlabs login form with this errormessage instead:
“Signing in using your Openid Connect account without a pre-existing GitLab account is not allowed.”
How can i debug this? Maybe Keycloak is not giving the desired field where the uid is in? I’ve tried several “uid_field” settings without luck. I think “sub” (the default) is the most wrong one, because it would return the UUID of the users record within Keycloaks database. But even this won’t work as i tried to create such user in Gitlab.
In the production.log of Gitlab i only found these messages after hittin the button in Gitlab:
Started POST "/users/auth/openid_connect" for 10.32.216.93 at 2022-04-05 06:45:38 +0000
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
Parameters: {"authenticity_token"=>"[FILTERED]"}
Completed 200 OK in 1ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 107)
Started GET "/users/auth/openid_connect/callback?state=76e6dc3bb48a75040b46e74902793baa&session_state=cda703d5-c654-42e1-823f-4aecb368d8b3&code=[FILTERED]" for 10.32.216.93 at 2022-04-05 06:45:38 +0000
Processing by OmniauthCallbacksController#openid_connect as HTML
Parameters: {"state"=>"76e6dc3bb48a75040b46e74902793baa", "session_state"=>"cda703d5-c654-42e1-823f-4aecb368d8b3", "code"=>"[FILTERED]"}
Redirected to https://gitlab.ippen.media/users/sign_in
Completed 302 Found in 15ms (ActiveRecord: 0.5ms | Elasticsearch: 0.0ms | Allocations: 5887)
Started GET "/users/sign_in" for 10.32.216.93 at 2022-04-05 06:45:38 +0000
Processing by SessionsController#new as HTML
Rendered layout layouts/devise.html.haml (Duration: 169.5ms | Allocations: 104291)
Completed 200 OK in 196ms (Views: 173.4ms | ActiveRecord: 1.5ms | Elasticsearch: 0.0ms | Allocations: 113984)
Started GET "/api/v4/geo/proxy" for 127.0.0.1 at 2022-04-05 06:45:38 +0000
I’m looking for a way to debug this issue somehow…
