I want to let gitlab use keycloak oidc login.
gitlab version: GitLab Enterprise Edition 12.6.3-ee
keycloak version 8.0.1
both are using http. https is not enabled.
I am following this guide:
https://docs.gitlab.com/ee/administration/auth/oidc.html
click the keycloak button on the gitlab UI, the url return 500 error http://gitlab.test.com/users/auth/openid_connect in /var/log/gitlab/gitlab-rails/production.log. I see below error:
OpenIDConnect::Discovery::DiscoveryFailed (SSL_connect returned=1 errno=0 state=error: wrong version number):
lib/gitlab/middleware/rails_queue_duration.rb:27:in call' lib/gitlab/metrics/rack_middleware.rb:17:in
block in call’ lib/gitlab/metrics/transaction.rb:62:in run' lib/gitlab/metrics/rack_middleware.rb:17:in
call’ lib/gitlab/request_profiler/middleware.rb:17:in call' ee/lib/gitlab/jira/middleware.rb:19:in
call’ lib/gitlab/middleware/go.rb:20:in call' lib/gitlab/etag_caching/middleware.rb:13:in
call’ lib/gitlab/middleware/correlation_id.rb:16:in block in call' lib/gitlab/middleware/correlation_id.rb:15:in
call’ lib/gitlab/middleware/multipart.rb:117:in call' lib/gitlab/middleware/read_only/controller.rb:48:in
call’ lib/gitlab/middleware/read_only.rb:18:in call' lib/gitlab/middleware/basic_health_check.rb:25:in
call’ lib/gitlab/request_context.rb:32:in call' config/initializers/fix_local_cache_middleware.rb:9:in
call’ lib/gitlab/metrics/requests_rack_middleware.rb:49:in call' lib/gitlab/middleware/release_env.rb:12:in
call’
What is your gitlab configuration ?
It seems gitlab tries to parse the discovery endpoint with https (which doesn’t seem enabled on your keycloak instance).
Our conf is like this:
gitlab_rails['omniauth_providers'] = [
{ 'name' => 'openid_connect',
'label' => 'keycloak',
'args' => {
'name' => 'openid_connect',
'scope' => ['openid','profile'],
'response_type' => 'code',
# realm url
'issuer' => 'https://<keycloak-url>/auth/realms/<realm>',
#Gitlab fetch all the endpoints from
#https://<keycloak-url>/auth/realms/<realm>/.well-known/openid-configuration
'discovery' => true,
'client_auth_method' => 'basic',
#Client Configuration
'client_options' => {
'identifier' => 'gitlab',
'secret' => '<client secret',
'redirect_uri' => '<gitlab-url>/users/auth/openid_connect/callback'
}
}
}
]
Some detail documentation on how I have setup almost single sign-on to Gitea, Taiga.io , Grafana, Portainer and Bookstack using Openldap and Keycloak.
See: https://blog.exceptionerror.io/2018/08/29/openldap-keycloak-and-docker/
@micedre
thanks for reply
actually I haven’t enable SSL for both gitlab and keycloak
is SSL mandatory ?
this is my gitlab config
gitlab_rails[‘omniauth_providers’] = [
{
‘name’ => ‘openid_connect’,
‘label’ => ‘keycloak’,
‘args’ => {
‘name’ => ‘openid_connect’,
‘scope’ => [‘openid’,‘profile’],
‘response_type’ => ‘code’,
‘issuer’ => ‘http://172 .. .:8080/auth/realm/< >’,
‘discovery’ => true,
‘client_auth_method’ => ‘query’,
‘uid_field’ => ‘preferred_username’,
‘client_options’ => {
‘identifier’ => ‘gitlab’,
‘secret’ => '6de3c7ea- ***’,
‘redirect_uri’ => ‘http://gitlab.test.com/users/auth/openid_connect/callback ’
}
}
}
]
lixiran
January 12, 2020, 12:50am
5
@micedre
what cert are you using for gitlab and keycloak ?
self signed ?
@Robinyo
thanks. are you using https or http?
I don’t think https is mandatory, but maybe your keycloak instance force a redirection.
Your conf should be fine, is your keycloak accessible from gitlab.
For the cert, you can use self signed as long as you configure gitlab to trust it :
https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates
thanks. dude.
I have figured that out.
Now I am working Oauth2 part.
I want to use keycloak to request a access_token from gitlab. have you tried that ?
I don’t understand, what do you want to do ?
All I am doing in addition to login from keycloak is getting the gitlabs groups from the users (and adding them as user attribute). I do it by a script mapper.
lixiran
January 13, 2020, 9:11am
10
I have two applications.
one is gitlab, the other is my app.
I want to do:
login my app via keycloak.
getting all my issues from gitlab and display on the UI.
in the past, i used gitlab as oauth2 provider. my app open a oauth2 request to gitlab and gitlab will return me a access_token. I can use access_token to access gitlab API to get resource.
Keycloak support oauth2. so I wanna know how to do step2 via keycloak.