4.4 KiB
| title | description | summary | date | draft | images | weight | toc | support | seo | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| GitLab | Integrating GitLab with the Authelia OpenID Connect 1.0 Provider. | 2022-06-15T17:51:47+10:00 | false | 620 | true |
|
|
Tested Versions
{{% oidc-common %}}
Assumptions
This example makes the following assumptions:
- Application Root URL:
https://gitlab.{{< sitevar name="domain" nojs="example.com" >}}/ - Authelia Root URL:
https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/ - Client ID:
gitlab - Client Secret:
insecure_secret
Some of the values presented in this guide can automatically be replaced with documentation variables.
{{< sitevar-preferences >}}
Configuration
Authelia
{{< callout context="caution" title="Important Note" icon="outline/alert-triangle" >}}
This configuration assumes you've configured the client_auth_method in GitLab as per below. If you
have not done this, the default in GitLab will require the token_endpoint_auth_method changes to
client_secret_post.
{{< /callout >}}
The following YAML configuration is an example Authelia client configuration for use with GitLab which will operate with the application example:
identity_providers:
oidc:
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
clients:
- client_id: 'gitlab'
client_name: 'GitLab'
client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: 'two_factor'
redirect_uris:
- 'https://gitlab.{{< sitevar name="domain" nojs="example.com" >}}/users/auth/openid_connect/callback'
scopes:
- 'openid'
- 'profile'
- 'groups'
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
Application
To configure GitLab to utilize Authelia as an OpenID Connect 1.0 Provider:
- Add the Omnibus OpenID Connect 1.0 OmniAuth configuration to
gitlab.rb:
gitlab_rails['omniauth_providers'] = [
{
name: "openid_connect",
label: "Authelia",
icon: "https://www.authelia.com/images/branding/logo-cropped.png",
args: {
name: "openid_connect",
strategy_class: "OmniAuth::Strategies::OpenIDConnect",
issuer: "https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}",
discovery: true,
scope: ["openid","profile","email","groups"],
client_auth_method: "basic",
response_type: "code",
response_mode: "query",
uid_field: "preferred_username",
send_scope_to_token_endpoint: true,
pkce: true,
client_options: {
identifier: "gitlab",
secret: "insecure_secret",
redirect_uri: "https://gitlab.{{< sitevar name="domain" nojs="example.com" >}}/users/auth/openid_connect/callback"
}
}
}
]
Groups
GitLab offers group mapping options with OpenID Connect 1.0, shamefully it's only for paid plans. However see the guide on how to configure it on their end.
Alternatively if GitLab is associated with LDAP you can use that as a group source, and you can configure a policy on
Authelia to restrict which resource owners are allowed access to the client for free via a custom authorization_policy
value.