diff options
Diffstat (limited to 'doc/administration/auth')
| -rw-r--r-- | doc/administration/auth/atlassian.md | 13 | ||||
| -rw-r--r-- | doc/administration/auth/authentiq.md | 14 | ||||
| -rw-r--r-- | doc/administration/auth/cognito.md | 28 | ||||
| -rw-r--r-- | doc/administration/auth/crowd.md | 12 | ||||
| -rw-r--r-- | doc/administration/auth/jwt.md | 22 | ||||
| -rw-r--r-- | doc/administration/auth/ldap/index.md | 102 | ||||
| -rw-r--r-- | doc/administration/auth/ldap/ldap-troubleshooting.md | 25 | ||||
| -rw-r--r-- | doc/administration/auth/ldap/ldap_synchronization.md | 4 | ||||
| -rw-r--r-- | doc/administration/auth/oidc.md | 179 |
9 files changed, 202 insertions, 197 deletions
diff --git a/doc/administration/auth/atlassian.md b/doc/administration/auth/atlassian.md index 14c48231a3d..5fa10c4c119 100644 --- a/doc/administration/auth/atlassian.md +++ b/doc/administration/auth/atlassian.md @@ -50,9 +50,10 @@ To enable the Atlassian OmniAuth provider for passwordless authentication you mu gitlab_rails['omniauth_providers'] = [ { name: "atlassian_oauth2", + # label: "Provider name", # optional label for login button, defaults to "Atlassian" app_id: "YOUR_CLIENT_ID", app_secret: "YOUR_CLIENT_SECRET", - args: { scope: 'offline_access read:jira-user read:jira-work', prompt: 'consent' } + args: { scope: "offline_access read:jira-user read:jira-work", prompt: "consent" } } ] ``` @@ -60,10 +61,12 @@ To enable the Atlassian OmniAuth provider for passwordless authentication you mu For installations from source: ```yaml - - name: "atlassian_oauth2", - app_id: "YOUR_CLIENT_ID", - app_secret: "YOUR_CLIENT_SECRET", - args: { scope: 'offline_access read:jira-user read:jira-work', prompt: 'consent' } + - { name: "atlassian_oauth2", + # label: "Provider name", # optional label for login button, defaults to "Atlassian" + app_id: "YOUR_CLIENT_ID", + app_secret: "YOUR_CLIENT_SECRET", + args: { scope: "offline_access read:jira-user read:jira-work", prompt: "consent" } + } ``` 1. Change `YOUR_CLIENT_ID` and `YOUR_CLIENT_SECRET` to the Client credentials you received in [application registration](#atlassian-application-registration) steps. diff --git a/doc/administration/auth/authentiq.md b/doc/administration/auth/authentiq.md index 19ee143a72a..4220e552196 100644 --- a/doc/administration/auth/authentiq.md +++ b/doc/administration/auth/authentiq.md @@ -36,12 +36,13 @@ Authentiq generates a Client ID and the accompanying Client Secret for you to us ```ruby gitlab_rails['omniauth_providers'] = [ { - "name" => "authentiq", - "app_id" => "YOUR_CLIENT_ID", - "app_secret" => "YOUR_CLIENT_SECRET", - "args" => { - "scope": 'aq:name email~rs address aq:push' - } + name: "authentiq", + # label: "Provider name", # optional label for login button, defaults to "Authentiq" + app_id: "YOUR_CLIENT_ID", + app_secret: "YOUR_CLIENT_SECRET", + args: { + "scope": 'aq:name email~rs address aq:push' + } } ] ``` @@ -50,6 +51,7 @@ Authentiq generates a Client ID and the accompanying Client Secret for you to us ```yaml - { name: 'authentiq', + # label: 'Provider name', # optional label for login button, defaults to "Authentiq" app_id: 'YOUR_CLIENT_ID', app_secret: 'YOUR_CLIENT_SECRET', args: { diff --git a/doc/administration/auth/cognito.md b/doc/administration/auth/cognito.md index d137489a838..718a2919ed0 100644 --- a/doc/administration/auth/cognito.md +++ b/doc/administration/auth/cognito.md @@ -56,25 +56,25 @@ Include the code block in the `/etc/gitlab/gitlab.rb` file: gitlab_rails['omniauth_allow_single_sign_on'] = ['cognito'] gitlab_rails['omniauth_providers'] = [ { - "name" => "cognito", - # "label" => "Cognito", - # "icon" => nil, # Optional icon URL - "app_id" => "CLIENT ID", - "app_secret" => "CLIENT SECRET", - "args" => { - "scope" => "openid profile email", + name: "cognito", + label: "Provider name", # optional label for login button, defaults to "Cognito" + icon: nil, # Optional icon URL + app_id: "CLIENT ID", + app_secret: "CLIENT SECRET", + args: { + scope: "openid profile email", client_options: { - 'site' => 'https://your_domain.auth.your_region.amazoncognito.com', - 'authorize_url' => '/oauth2/authorize', - 'token_url' => '/oauth2/token', - 'user_info_url' => '/oauth2/userInfo' + site: "https://your_domain.auth.your_region.amazoncognito.com", + authorize_url: "/oauth2/authorize", + token_url: "/oauth2/token", + user_info_url: "/oauth2/userInfo" }, user_response_structure: { root_path: [], - id_path: ['sub'], - attributes: { nickname: 'email', name: 'email', email: 'email' } + id_path: ["sub"], + attributes: { nickname: "email", name: "email", email: "email" } }, - name: 'cognito', + name: "cognito", strategy_class: "OmniAuth::Strategies::OAuth2Generic" } } diff --git a/doc/administration/auth/crowd.md b/doc/administration/auth/crowd.md index 466e208a52e..265bba8a9b1 100644 --- a/doc/administration/auth/crowd.md +++ b/doc/administration/auth/crowd.md @@ -46,11 +46,12 @@ this provider also allows Crowd authentication for Git-over-https requests. ```ruby gitlab_rails['omniauth_providers'] = [ { - "name" => "crowd", - "args" => { - "crowd_server_url" => "CROWD_SERVER_URL", - "application_name" => "YOUR_APP_NAME", - "application_password" => "YOUR_APP_PASSWORD" + name: "crowd", + # label: "Provider name", # optional label for login button, defaults to "Crowd" + args: { + crowd_server_url: "CROWD_SERVER_URL", + application_name: "YOUR_APP_NAME", + application_password: "YOUR_APP_PASSWORD" } } ] @@ -60,6 +61,7 @@ this provider also allows Crowd authentication for Git-over-https requests. ```yaml - { name: 'crowd', + # label: 'Provider name', # optional label for login button, defaults to "Crowd" args: { crowd_server_url: 'CROWD_SERVER_URL', application_name: 'YOUR_APP_NAME', diff --git a/doc/administration/auth/jwt.md b/doc/administration/auth/jwt.md index 26e523cb802..9298b04cbc1 100644 --- a/doc/administration/auth/jwt.md +++ b/doc/administration/auth/jwt.md @@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w # JWT OmniAuth provider **(FREE SELF)** To enable the JWT OmniAuth provider, you must register your application with JWT. -JWT will provide you with a secret key for you to use. +JWT provides you with a secret key for you to use. 1. On your GitLab server, open the configuration file. @@ -32,14 +32,15 @@ JWT will provide you with a secret key for you to use. ```ruby gitlab_rails['omniauth_providers'] = [ - { name: 'jwt', + { name: "jwt", + label: "Provider name", # optional label for login button, defaults to "Jwt" args: { - secret: 'YOUR_APP_SECRET', - algorithm: 'HS256', # Supported algorithms: 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512' - uid_claim: 'email', - required_claims: ['name', 'email'], - info_map: { name: 'name', email: 'email' }, - auth_url: 'https://example.com/', + secret: "YOUR_APP_SECRET", + algorithm: "HS256", # Supported algorithms: "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "HS256", "HS384", "HS512" + uid_claim: "email", + required_claims: ["name", "email"], + info_map: { name: "name", email: "email" }, + auth_url: "https://example.com/", valid_within: 3600 # 1 hour } } @@ -50,6 +51,7 @@ JWT will provide you with a secret key for you to use. ```yaml - { name: 'jwt', + label: 'Provider name', # optional label for login button, defaults to "Jwt" args: { secret: 'YOUR_APP_SECRET', algorithm: 'HS256', # Supported algorithms: 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512' @@ -72,9 +74,9 @@ JWT will provide you with a secret key for you to use. installed GitLab via Omnibus or from source respectively. On the sign in page there should now be a JWT icon below the regular sign in form. -Click the icon to begin the authentication process. JWT will ask the user to +Click the icon to begin the authentication process. JWT asks the user to sign in and authorize the GitLab application. If everything goes well, the user -will be redirected to GitLab and will be signed in. +is redirected to GitLab and signed in. <!-- ## Troubleshooting diff --git a/doc/administration/auth/ldap/index.md b/doc/administration/auth/ldap/index.md index 9047cfae1e9..f551c362784 100644 --- a/doc/administration/auth/ldap/index.md +++ b/doc/administration/auth/ldap/index.md @@ -23,7 +23,7 @@ Users added through LDAP: - Take a [licensed seat](../../../subscriptions/self_managed/index.md#billable-users). - Can authenticate with Git using either their GitLab username or their email and LDAP password, - even if password authentication for Git + even if password authentication for Git [is disabled](../../../user/admin_area/settings/sign_in_restrictions.md#password-authentication-enabled). The LDAP DN is associated with existing GitLab users when: @@ -41,7 +41,7 @@ If an existing GitLab user wants to enable LDAP sign-in for themselves, they sho GitLab has multiple mechanisms to verify a user is still active in LDAP. If the user is no longer active in LDAP, they are placed in an `ldap_blocked` status and are signed out. They are unable to sign in using any authentication provider until they are -reactivated in LDAP. +reactivated in LDAP. Users are considered inactive in LDAP when they: @@ -52,7 +52,8 @@ Users are considered inactive in LDAP when they: Status is checked for all LDAP users: -- When signing in using any authentication provider. +- When signing in using any authentication provider. [In GitLab 14.4 and earlier](https://gitlab.com/gitlab-org/gitlab/-/issues/343298), status was + checked only when signing in using LDAP directly. - Once per hour for active web sessions or Git requests using tokens or SSH keys. - When performing Git over HTTP requests using LDAP username and password. - Once per day during [User Sync](ldap_synchronization.md#user-sync). @@ -221,6 +222,51 @@ These LDAP sync configuration settings are available: | `external_groups` | An array of CNs of groups containing users that should be considered external. Not `cn=interns` or the full DN. | **{dotted-circle}** No | `['interns', 'contractors']` | | `sync_ssh_keys` | The LDAP attribute containing a user's public SSH key. | **{dotted-circle}** No | `'sshPublicKey'` or false if not set | +### Use multiple LDAP servers **(PREMIUM SELF)** + +If you have users on multiple LDAP servers, you can configure GitLab to use them. To add additional LDAP servers: + +1. Duplicate the [`main` LDAP configuration](#configure-ldap). +1. Edit each duplicate configuration with the details of the additional servers. + - For each additional server, choose a different provider ID, like `main`, `secondary`, or `tertiary`. Use lowercase + alphanumeric characters. GitLab uses the provider ID to associate each user with a specific LDAP server. + - For each entry, use a unique `label` value. These values are used for the tab names on the sign-in page. + +#### Example of multiple LDAP servers + +The following example shows how to configure three LDAP servers in `gitlab.rb`: + +```ruby +gitlab_rails['ldap_enabled'] = true +gitlab_rails['ldap_servers'] = { +'main' => { + 'label' => 'GitLab AD', + 'host' => 'ad.example.org', + 'port' => 636, + ... + }, + +'secondary' => { + 'label' => 'GitLab Secondary AD', + 'host' => 'ad-secondary.example.net', + 'port' => 636, + ... + }, + +'tertiary' => { + 'label' => 'GitLab Tertiary AD', + 'host' => 'ad-tertiary.example.net', + 'port' => 636, + ... + } + +} +``` + +This example results in the following sign-in page: + + + ### Set up LDAP user filter To limit all GitLab access to a subset of the LDAP users on your LDAP server, first narrow the @@ -451,56 +497,6 @@ If initially your LDAP configuration looked like: 1. [Restart GitLab](../../restart_gitlab.md#installations-from-source) for the changes to take effect. -## Multiple LDAP servers **(PREMIUM SELF)** - -With GitLab, you can configure multiple LDAP servers that your GitLab instance -connects to. - -To add another LDAP server: - -1. Duplicate the settings under [the main configuration](#configure-ldap). -1. Edit them to match the additional LDAP server. - -Be sure to choose a different provider ID made of letters a-z and numbers 0-9. -This ID is stored in the database so that GitLab can remember which LDAP -server a user belongs to. - - - -Based on the example illustrated on the image above, -our `gitlab.rb` configuration would look like: - -```ruby -gitlab_rails['ldap_enabled'] = true -gitlab_rails['ldap_servers'] = { -'main' => { - 'label' => 'GitLab AD', - 'host' => 'ad.example.org', - 'port' => 636, - ... - }, - -'secondary' => { - 'label' => 'GitLab Secondary AD', - 'host' => 'ad-secondary.example.net', - 'port' => 636, - ... - }, - -'tertiary' => { - 'label' => 'GitLab Tertiary AD', - 'host' => 'ad-tertiary.example.net', - 'port' => 636, - ... - } - -} -``` - -If you configure multiple LDAP servers, use a unique naming convention for the -`label` section of each entry. That label is used as the display name of the tab -shown on the sign-in page. - ## Disable anonymous LDAP authentication GitLab doesn't support TLS client authentication. Complete these steps on your LDAP server. diff --git a/doc/administration/auth/ldap/ldap-troubleshooting.md b/doc/administration/auth/ldap/ldap-troubleshooting.md index aa40060c4c1..63e4490e332 100644 --- a/doc/administration/auth/ldap/ldap-troubleshooting.md +++ b/doc/administration/auth/ldap/ldap-troubleshooting.md @@ -106,7 +106,7 @@ here are some questions to ask yourself: - Does the user pass through the [configured `user_filter`](index.md#set-up-ldap-user-filter)? If one is not configured, this question can be ignored. If it is, then the user must also pass through this filter to be allowed to sign in. - - Refer to our docs on [debugging the `user_filter`](#debug-ldap-user-filter). + - Refer to our documentation on [debugging the `user_filter`](#debug-ldap-user-filter). If the above are both okay, the next place to look for the problem is the logs themselves while reproducing the issue. @@ -316,7 +316,7 @@ LDAP search error: No Such Object User Update (0.4ms) UPDATE "users" SET "state" = $1, "updated_at" = $2 WHERE "users"."id" = $3 [["state", "ldap_blocked"], ["updated_at", "2019-10-18 15:46:22.902177"], ["id", 20]] ``` -Once the user is found in LDAP, the rest of the output updates the GitLab +After the user is found in LDAP, the rest of the output updates the GitLab database with any changes. #### Query a user in LDAP @@ -337,8 +337,8 @@ Gitlab::Auth::Ldap::Person.find_by_uid('<uid>', adapter) #### Membership(s) not granted Sometimes you may think a particular user should be added to a GitLab group via -LDAP group sync, but for some reason it's not happening. There are several -things to check to debug the situation. +LDAP group sync, but for some reason it's not happening. You can check several +things to debug the situation. - Ensure LDAP configuration has a `group_base` specified. [This configuration](ldap_synchronization.md#group-sync) is required for group sync to work properly. @@ -421,7 +421,7 @@ Started syncing 'ldapmain' provider for 'my_group' group ``` The following entry shows an array of all user DNs GitLab sees in the LDAP server. -These are the users for a single LDAP group, not a GitLab group. If +These DNs are the users for a single LDAP group, not a GitLab group. If you have multiple LDAP groups linked to this GitLab group, you see multiple log entries like this - one for each LDAP group. If you don't see an LDAP user DN in this log entry, LDAP is not returning the user when we do the lookup. @@ -545,7 +545,7 @@ updates the stored DN to the new value so both values now match what's in LDAP. If the email has changed and the DN has not, GitLab finds the user with -the DN and update its own record of the user's email to match the one in LDAP. +the DN and updates its own record of the user's email to match the one in LDAP. However, if the primary email _and_ the DN change in LDAP, then GitLab has no way of identifying the correct LDAP record of the user and, as a @@ -563,7 +563,7 @@ email address are removed first. This is because emails have to be unique in Git Go to the [rails console](#rails-console) and then run: ```ruby -# Each entry will have to include the old username and the new email +# Each entry must include the old username and the new email emails = { 'ORIGINAL_USERNAME' => 'NEW_EMAIL_ADDRESS', ... @@ -582,8 +582,8 @@ for each of these users. ## Expired license causes errors with multiple LDAP servers -Using [multiple LDAP servers](index.md#multiple-ldap-servers) requires a valid license. An expired -license can cause: +Using [multiple LDAP servers](index.md#use-multiple-ldap-servers) requires a valid license. An expired license can +cause: - `502` errors in the web interface. - The following error in logs (the actual strategy name depends on the name configured in `/etc/gitlab/gitlab.rb`): @@ -686,7 +686,7 @@ For more information, see the [official `ldapsearch` documentation](https://linu ### Using **AdFind** (Windows) -You can use the [`AdFind`](https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx) utility (on Windows based systems) to test that your LDAP server is accessible and authentication is working correctly. This is a freeware utility built by [Joe Richards](http://www.joeware.net/freetools/tools/adfind/index.htm). +You can use the [`AdFind`](https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx) utility (on Windows based systems) to test that your LDAP server is accessible and authentication is working correctly. AdFind is a freeware utility built by [Joe Richards](http://www.joeware.net/freetools/tools/adfind/index.htm). **Return all objects** @@ -719,9 +719,8 @@ For instructions about how to use the rails console, refer to this #### Enable debug output -This provides debug output that is useful to see -what GitLab is doing and with what. This value is not persisted, and is only -enabled for this session in the rails console. +This provides debug output that shows what GitLab is doing and with what. +This value is not persisted, and is only enabled for this session in the Rails console. To enable debug output in the rails console, [enter the rails console](#rails-console) and run: diff --git a/doc/administration/auth/ldap/ldap_synchronization.md b/doc/administration/auth/ldap/ldap_synchronization.md index 2673a8374ec..8ccd8fecbcf 100644 --- a/doc/administration/auth/ldap/ldap_synchronization.md +++ b/doc/administration/auth/ldap/ldap_synchronization.md @@ -127,8 +127,8 @@ following. 1. [Restart GitLab](../../restart_gitlab.md#installations-from-source) for the changes to take effect. -To take advantage of group sync, group owners or maintainers must [create one -or more LDAP group links](#add-group-links). +To take advantage of group sync, group Owners or users with the [Maintainer role](../../../user/permissions.md) must +[create one or more LDAP group links](#add-group-links). ### Add group links diff --git a/doc/administration/auth/oidc.md b/doc/administration/auth/oidc.md index b8c443ae4d4..7ab1f2f5feb 100644 --- a/doc/administration/auth/oidc.md +++ b/doc/administration/auth/oidc.md @@ -35,22 +35,23 @@ The OpenID Connect provides you with a client's details and secret for you to us ```ruby gitlab_rails['omniauth_providers'] = [ - { 'name' => 'openid_connect', - 'label' => '<your_oidc_label>', - 'icon' => '<custom_provider_icon>', - 'args' => { - 'name' => 'openid_connect', - 'scope' => ['openid','profile','email'], - 'response_type' => 'code', - 'issuer' => '<your_oidc_url>', - 'discovery' => true, - 'client_auth_method' => 'query', - 'uid_field' => '<uid_field>', - 'send_scope_to_token_endpoint' => 'false', - 'client_options' => { - 'identifier' => '<your_oidc_client_id>', - 'secret' => '<your_oidc_client_secret>', - 'redirect_uri' => '<your_gitlab_url>/users/auth/openid_connect/callback' + { + name: "openid_connect", + label: "Provider name", # optional label for login button, defaults to "Openid Connect" + icon: "<custom_provider_icon>", + args: { + name: "openid_connect", + scope: ["openid","profile","email"], + response_type: "code", + issuer: "<your_oidc_url>", + discovery: true, + client_auth_method: "query", + uid_field: "<uid_field>", + send_scope_to_token_endpoint: "false", + client_options: { + identifier: "<your_oidc_client_id>", + secret: "<your_oidc_client_secret>", + redirect_uri: "<your_gitlab_url>/users/auth/openid_connect/callback" } } } @@ -61,7 +62,7 @@ The OpenID Connect provides you with a client's details and secret for you to us ```yaml - { name: 'openid_connect', - label: '<your_oidc_label>', + label: 'Provider name', # optional label for login button, defaults to "Openid Connect" icon: '<custom_provider_icon>', args: { name: 'openid_connect', @@ -136,20 +137,20 @@ for more details: ```ruby gitlab_rails['omniauth_providers'] = [ { - 'name' => 'openid_connect', - 'label' => 'Google OpenID', - 'args' => { - 'name' => 'openid_connect', - 'scope' => ['openid', 'profile', 'email'], - 'response_type' => 'code', - 'issuer' => 'https://accounts.google.com', - 'client_auth_method' => 'query', - 'discovery' => true, - 'uid_field' => 'preferred_username', - 'client_options' => { - 'identifier' => '<YOUR PROJECT CLIENT ID>', - 'secret' => '<YOUR PROJECT CLIENT SECRET>', - 'redirect_uri' => 'https://example.com/users/auth/openid_connect/callback', + name: "openid_connect", + label: "Google OpenID", # optional label for login button, defaults to "Openid Connect" + args: { + name: "openid_connect", + scope: ["openid", "profile", "email"], + response_type: "code", + issuer: "https://accounts.google.com", + client_auth_method: "query", + discovery: true, + uid_field: "preferred_username", + client_options: { + identifier: "<YOUR PROJECT CLIENT ID>", + secret: "<YOUR PROJECT CLIENT SECRET>", + redirect_uri: "https://example.com/users/auth/openid_connect/callback", } } } @@ -173,20 +174,20 @@ Example Omnibus configuration block: ```ruby gitlab_rails['omniauth_providers'] = [ { - 'name' => 'openid_connect', - 'label' => 'Azure OIDC', - 'args' => { - 'name' => 'openid_connect', - 'scope' => ['openid', 'profile', 'email'], - 'response_type' => 'code', - 'issuer' => 'https://login.microsoftonline.com/<YOUR-TENANT-ID>/v2.0', - 'client_auth_method' => 'query', - 'discovery' => true, - 'uid_field' => 'preferred_username', - 'client_options' => { - 'identifier' => '<YOUR APP CLIENT ID>', - 'secret' => '<YOUR APP CLIENT SECRET>', - 'redirect_uri' => 'https://gitlab.example.com/users/auth/openid_connect/callback' + name: "openid_connect", + label: "Azure OIDC", # optional label for login button, defaults to "Openid Connect" + args: { + name: "openid_connect", + scope: ["openid", "profile", "email"], + response_type: "code", + issuer: "https://login.microsoftonline.com/<YOUR-TENANT-ID>/v2.0", + client_auth_method: "query", + discovery: true, + uid_field: "preferred_username", + client_options: { + identifier: "<YOUR APP CLIENT ID>", + secret: "<YOUR APP CLIENT SECRET>", + redirect_uri: "https://gitlab.example.com/users/auth/openid_connect/callback" } } } @@ -302,21 +303,21 @@ The trailing forward slash is required. ```ruby gitlab_rails['omniauth_providers'] = [ { - 'name' => 'openid_connect', - 'label' => 'Azure B2C OIDC', - 'args' => { - 'name' => 'openid_connect', - 'scope' => ['openid'], - 'response_mode' => 'query', - 'response_type' => 'id_token', - 'issuer' => 'https://<YOUR-DOMAIN>/tfp/<YOUR-TENANT-ID>/b2c_1a_signup_signin/v2.0/', - 'client_auth_method' => 'query', - 'discovery' => true, - 'send_scope_to_token_endpoint' => true, - 'client_options' => { - 'identifier' => '<YOUR APP CLIENT ID>', - 'secret' => '<YOUR APP CLIENT SECRET>', - 'redirect_uri' => 'https://gitlab.example.com/users/auth/openid_connect/callback' + name: "openid_connect", + label: "Azure B2C OIDC", # optional label for login button, defaults to "Openid Connect" + args: { + name: "openid_connect", + scope: ["openid"], + response_mode: "query", + response_type: "id_token", + issuer: "https://<YOUR-DOMAIN>/tfp/<YOUR-TENANT-ID>/b2c_1a_signup_signin/v2.0/", + client_auth_method: "query", + discovery: true, + send_scope_to_token_endpoint: true, + client_options: { + identifier: "<YOUR APP CLIENT ID>", + secret: "<YOUR APP CLIENT SECRET>", + redirect_uri: "https://gitlab.example.com/users/auth/openid_connect/callback" } } }] @@ -359,20 +360,20 @@ Example Omnibus configuration block: ```ruby gitlab_rails['omniauth_providers'] = [ { - 'name' => 'openid_connect', - 'label' => 'Keycloak', - 'args' => { - 'name' => 'openid_connect', - 'scope' => ['openid', 'profile', 'email'], - 'response_type' => 'code', - 'issuer' => 'https://keycloak.example.com/auth/realms/myrealm', - 'client_auth_method' => 'query', - 'discovery' => true, - 'uid_field' => 'preferred_username', - 'client_options' => { - 'identifier' => '<YOUR CLIENT ID>', - 'secret' => '<YOUR CLIENT SECRET>', - 'redirect_uri' => 'https://gitlab.example.com/users/auth/openid_connect/callback' + name: "openid_connect", + label: "Keycloak", # optional label for login button, defaults to "Openid Connect" + args: { + name: "openid_connect", + scope: ["openid", "profile", "email"], + response_type: "code", + issuer: "https://keycloak.example.com/auth/realms/myrealm", + client_auth_method: "query", + discovery: true, + uid_field: "preferred_username", + client_options: { + identifier: "<YOUR CLIENT ID>", + secret: "<YOUR CLIENT SECRET>", + redirect_uri: "https://gitlab.example.com/users/auth/openid_connect/callback" } } } @@ -436,21 +437,21 @@ To use symmetric key encryption: ```ruby gitlab_rails['omniauth_providers'] = [ { - 'name' => 'openid_connect', - 'label' => 'Keycloak', - 'args' => { - 'name' => 'openid_connect', - 'scope' => ['openid', 'profile', 'email'], - 'response_type' => 'code', - 'issuer' => 'https://keycloak.example.com/auth/realms/myrealm', - 'client_auth_method' => 'query', - 'discovery' => true, - 'uid_field' => 'preferred_username', - 'jwt_secret_base64' => '<YOUR BASE64-ENCODED SECRET>', - 'client_options' => { - 'identifier' => '<YOUR CLIENT ID>', - 'secret' => '<YOUR CLIENT SECRET>', - 'redirect_uri' => 'https://gitlab.example.com/users/auth/openid_connect/callback' + name: "openid_connect", + label: "Keycloak", # optional label for login button, defaults to "Openid Connect" + args: { + name: "openid_connect", + scope: ["openid", "profile", "email"], + response_type: "code", + issuer: "https://keycloak.example.com/auth/realms/myrealm", + client_auth_method: "query", + discovery: true, + uid_field: "preferred_username", + jwt_secret_base64: "<YOUR BASE64-ENCODED SECRET>", + client_options: { + identifier: "<YOUR CLIENT ID>", + secret: "<YOUR CLIENT SECRET>", + redirect_uri: "https://gitlab.example.com/users/auth/openid_connect/callback" } } } |