1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
---
stage: Ecosystem
group: Integrations
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Generic OAuth2 provider **(FREE SELF)**
The `omniauth-oauth2-generic` gem allows single sign-on (SSO) between GitLab
and your OAuth2 provider (or any OAuth2 provider compatible with this gem).
This strategy allows for the configuration of this OmniAuth SSO process:
1. Strategy directs the client to your authorization URL (**configurable**), with
the specified ID and key.
1. The OAuth2 provider handles authentication of the request, user, and (optionally)
authorization to access user's profile.
1. The OAuth2 provider directs the client back to GitLab where Strategy handles
the retrieval of the access token.
1. Strategy requests user information from a **configurable** "user profile"
URL (using the access token).
1. Strategy parses user information from the response, using a **configurable**
format.
1. GitLab finds or creates the returned user and signs them in.
## Limitations of this strategy
- It can only be used for single sign-on, and doesn't provide any other access
granted by any OAuth2 provider (like importing projects or users).
- It supports only the Authorization Grant flow (most common for client-server
applications, like GitLab).
- It can't fetch user information from more than one URL.
- It hasn't been tested with user information formats, other than JSON.
## Configure the OAuth2 provider
To configure the provider:
1. Register your application in the OAuth2 provider you want to authenticate with.
The redirect URI you provide when registering the application should be:
```plaintext
http://your-gitlab.host.com/users/auth/oauth2_generic/callback
```
You should now be able to get a Client ID and Client Secret. Where this
appears differs for each provider. This may also be called Application ID
and Secret.
1. On your GitLab server, open the appropriate configuration file.
For Omnibus GitLab:
```shell
sudo editor /etc/gitlab/gitlab.rb
```
For installations from source:
```shell
cd /home/git/gitlab
sudo -u git -H editor config/gitlab.yml
```
1. See [Configure initial settings](omniauth.md#configure-initial-settings) for
initial settings.
1. Add the provider-specific configuration for your provider. For example:
```ruby
gitlab_rails['omniauth_providers'] = [
{
name: "oauth2_generic",
label: "Provider name", # optional label for login button, defaults to "Oauth2 Generic"
app_id: "<your_app_client_id>",
app_secret: "<your_app_client_secret>",
args: {
client_options: {
site: "<your_auth_server_url>",
user_info_url: "/oauth2/v1/userinfo",
authorize_url: "/oauth2/v1/authorize",
token_url: "/oauth2/v1/token"
},
user_response_structure: {
root_path: [],
id_path: ["sub"],
attributes: {
email: "email",
name: "name"
}
},
authorize_params: {
scope: "openid profile email"
},
strategy_class: "OmniAuth::Strategies::OAuth2Generic"
}
}
]
```
For more information about these settings, see [the gem's README](https://gitlab.com/satorix/omniauth-oauth2-generic#gitlab-config-example).
1. Save the configuration file.
1. [Restart](../administration/restart_gitlab.md#installations-from-source)
GitLab for the changes to take effect.
On the sign-in page there should now be a new button below the regular sign-in
form. Select the button to begin your provider's authentication process. This
directs the browser to your OAuth2 provider's authentication page. If
everything goes well, you are returned to your GitLab instance and are
signed in.
|
