Does anyone tried to intergate gitlab and keycloak?

Getting advice
1

I want to let gitlab use keycloak oidc login.
gitlab version: GitLab Enterprise Edition 12.6.3-ee
keycloak version 8.0.1
both are using http. https is not enabled.
I am following this guide:
https://docs.gitlab.com/ee/administration/auth/oidc.html

click the keycloak button on the gitlab UI, the url return 500 error http://gitlab.test.com/users/auth/openid_connect in /var/log/gitlab/gitlab-rails/production.log. I see below error:

OpenIDConnect::Discovery::DiscoveryFailed (SSL_connect returned=1 errno=0 state=error: wrong version number):

lib/gitlab/middleware/rails_queue_duration.rb:27:in call' lib/gitlab/metrics/rack_middleware.rb:17:in block in call’ lib/gitlab/metrics/transaction.rb:62:in run' lib/gitlab/metrics/rack_middleware.rb:17:in call’ lib/gitlab/request_profiler/middleware.rb:17:in call' ee/lib/gitlab/jira/middleware.rb:19:in call’ lib/gitlab/middleware/go.rb:20:in call' lib/gitlab/etag_caching/middleware.rb:13:in call’ lib/gitlab/middleware/correlation_id.rb:16:in block in call' lib/gitlab/middleware/correlation_id.rb:15:in call’ lib/gitlab/middleware/multipart.rb:117:in call' lib/gitlab/middleware/read_only/controller.rb:48:in call’ lib/gitlab/middleware/read_only.rb:18:in call' lib/gitlab/middleware/basic_health_check.rb:25:in call’ lib/gitlab/request_context.rb:32:in call' config/initializers/fix_local_cache_middleware.rb:9:in call’ lib/gitlab/metrics/requests_rack_middleware.rb:49:in call' lib/gitlab/middleware/release_env.rb:12:in call’

2

What is your gitlab configuration ?
It seems gitlab tries to parse the discovery endpoint with https (which doesn’t seem enabled on your keycloak instance).
Our conf is like this:

gitlab_rails['omniauth_providers'] = [
  { 'name' => 'openid_connect',
     'label' => 'keycloak',
    'args' => {
      'name' => 'openid_connect',
      'scope' => ['openid','profile'],
      'response_type' => 'code',
      # realm url      
      'issuer' => 'https://<keycloak-url>/auth/realms/<realm>',
      #Gitlab fetch all the endpoints from 
      #https://<keycloak-url>/auth/realms/<realm>/.well-known/openid-configuration
      'discovery' => true,
      'client_auth_method' => 'basic',
     #Client Configuration
      'client_options' => {
        'identifier' => 'gitlab',
        'secret' => '<client secret',
        'redirect_uri' => '<gitlab-url>/users/auth/openid_connect/callback'
      }
    }
  }
]
3

Some detail documentation on how I have setup almost single sign-on to Gitea, Taiga.io, Grafana, Portainer and Bookstack using Openldap and Keycloak.

See: https://blog.exceptionerror.io/2018/08/29/openldap-keycloak-and-docker/

4

@micedre
thanks for reply
actually I haven’t enable SSL for both gitlab and keycloak

is SSL mandatory ?

this is my gitlab config

gitlab_rails[‘omniauth_providers’] = [
{
‘name’ => ‘openid_connect’,
‘label’ => ‘keycloak’,
‘args’ => {
‘name’ => ‘openid_connect’,
‘scope’ => [‘openid’,‘profile’],
‘response_type’ => ‘code’,
‘issuer’ => ‘http://172...:8080/auth/realm/<>’,
‘discovery’ => true,
‘client_auth_method’ => ‘query’,
‘uid_field’ => ‘preferred_username’,
‘client_options’ => {
‘identifier’ => ‘gitlab’,
‘secret’ => '6de3c7ea-***’,
‘redirect_uri’ => ‘http://gitlab.test.com/users/auth/openid_connect/callback

         }

 }

}
]

5

@micedre
what cert are you using for gitlab and keycloak ?
self signed ?

6

@Robinyo
thanks. are you using https or http?

7

I don’t think https is mandatory, but maybe your keycloak instance force a redirection.

Your conf should be fine, is your keycloak accessible from gitlab.

For the cert, you can use self signed as long as you configure gitlab to trust it :
https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates

8

thanks. dude.

I have figured that out.
Now I am working Oauth2 part.
I want to use keycloak to request a access_token from gitlab. have you tried that ?

9

I don’t understand, what do you want to do ?

All I am doing in addition to login from keycloak is getting the gitlabs groups from the users (and adding them as user attribute). I do it by a script mapper.

10

I have two applications.
one is gitlab, the other is my app.
I want to do:

  1. login my app via keycloak.
  2. getting all my issues from gitlab and display on the UI.

in the past, i used gitlab as oauth2 provider. my app open a oauth2 request to gitlab and gitlab will return me a access_token. I can use access_token to access gitlab API to get resource.

Keycloak support oauth2. so I wanna know how to do step2 via keycloak.