GitLab Omniauth openid-connect via Keycloak

I am trying to setup GitLab OmniAuth via openid-connect using Keycloak.

I can successfully authenticate to Keycloak. When redirecting back to Gitlab however, I get the following

I followed the docs on OmniAuth via openid-connect and set the callback url as suggested.

My GitLab runs at http://<domain>/gitlab.

Here is the full config

gitlab_rails['omniauth_providers'] = [
          { 'name' => 'openid_connect',
            'label' => 'Keycloak',
            'args' => {
              'name' => 'openid_connect',
              'scope' => ['openid','profile'],
              'response_type' => 'code',
              'issuer' => 'http://<domain>/auth/realms//<realm>',
              'discovery' => false,
              'uid_field' => 'uid',
              'client_auth_method' => 'query',
              'send_scope_to_token_endpoint' => false,
              'client_options' => {
                'identifier' => 'gitlab',
                'secret' => '<secret>',
                'authorization_endpoint' => 'http://<domain>/auth/realms/<realm>/protocol/openid-connect/auth',
                'token_endpoint' => 'http://<domain>/auth/realms/<realm>/protocol/openid-connect/token',
                'userinfo_endpoint' => 'http://<domain>/auth/realms/<realm>/protocol/openid-connect/userinfo',
                'redirect_uri' => 'http://<domain>/gitlab/users/auth/openid_connect/callback'


In Keycloak I’ve set mappers for the following attributes:

  • “name”
  • “email”
  • “preferred_username”

Even when using * for Valid Redirect URLs in the client, I get the result shown above.
I am stuck with this for three days :confused: I do not see anything in the logs that could help me.

I’d highly appreciate any help!

Right now I think the login succeeds and the error is on GitLabs side.