GitLab对接Keycloak的Oauth2简明教程

0x00
编辑`gitlab.rb`文件

找到 OmniAuth Settings 配置块，`按需`修改下面的选项：

```ruby
### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html
 gitlab_rails['omniauth_enabled'] = true
 gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
 gitlab_rails['omniauth_sync_email_from_provider'] = true
 gitlab_rails['omniauth_sync_profile_from_provider'] = true
 gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = true
 gitlab_rails['omniauth_block_auto_created_users'] = false
# gitlab_rails['omniauth_auto_link_ldap_user'] = false
# gitlab_rails['omniauth_auto_link_saml_user'] = true
# gitlab_rails['omniauth_external_providers'] = []
# gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']
```

在 `gitlab_rails['omniauth_providers']`配置项，添加如下内容：

```ruby
gitlab_rails['omniauth_providers'] = [
  { 'name' => 'openid_connect',
  'label' => '<label>',
     'args' => {
      'name' => 'openid_connect',
      'scope' => ['openid','profile'],
      'response_type' => 'code',
      # realm url
	  'issuer' => 'https://<keycloak-url>/auth/realms/fuzzypaws',
      #Gitlab fetch all the endpoints from 
      #https://<keycloak-url>/auth/realms/<realm>/.well-known/openid-configuration
      'discovery' => true,
      'client_auth_method' => 'basic',
     #Client Configuration
      'client_options' => {
	  'identifier' => '<Client-ID>',
	  'secret' => '<Cliend-Secret>',
        'redirect_uri' => 'https://<gitlab-url>/users/auth/openid_connect/callback'
      }
    }
  }
]
```
注意修改`gitlab_rails['omniauth_providers']`配置块内的 `'name'`时，需要同步修改`gitlab_rails['omniauth_allow_single_sign_on']`里的内容，内容采用列表形式，如`['keycloak','github','twitter']`

#0x02
保存，重启或者使用下面的命令重新配置gitlab：
```bash
gitlab-ctl reconfigure
```

即可在登陆见面看见gitlab登陆入口。

GitLab对接Keycloak的Oauth2简明教程

发表评论