2016-02-03 06:18:37 -05:00
|
|
|
# GitLab as OAuth2 authentication service provider
|
2015-02-18 23:49:19 -05:00
|
|
|
|
2016-02-03 06:18:37 -05:00
|
|
|
This document is about using GitLab as an OAuth authentication service provider
|
|
|
|
to sign in to other services.
|
2015-02-18 23:49:19 -05:00
|
|
|
|
2019-01-11 10:38:15 -05:00
|
|
|
If you want to use:
|
|
|
|
|
|
|
|
- Other OAuth authentication service providers to sign in to
|
|
|
|
GitLab, see the [OAuth2 client documentation](omniauth.md).
|
|
|
|
- The related API, see [Applications API](../api/applications.md).
|
2015-02-13 11:17:08 -05:00
|
|
|
|
2016-02-03 06:18:37 -05:00
|
|
|
## Introduction to OAuth
|
2015-02-13 11:17:08 -05:00
|
|
|
|
2019-07-08 19:14:29 -04:00
|
|
|
[OAuth](https://oauth.net/2/) provides to client applications a 'secure delegated access' to server
|
2016-02-03 06:18:37 -05:00
|
|
|
resources on behalf of a resource owner. In fact, OAuth allows an authorization
|
|
|
|
server to issue access tokens to third-party clients with the approval of the
|
|
|
|
resource owner, or the end-user.
|
2015-02-13 11:17:08 -05:00
|
|
|
|
2016-02-03 06:18:37 -05:00
|
|
|
OAuth is mostly used as a Single Sign-On service (SSO), but you can find a
|
|
|
|
lot of different uses for this functionality. For example, you can allow users
|
|
|
|
to sign in to your application with their GitLab.com account, or GitLab.com
|
|
|
|
can be used for authentication to your GitLab instance
|
|
|
|
(see [GitLab OmniAuth](gitlab.md)).
|
2015-02-13 11:17:08 -05:00
|
|
|
|
2016-02-03 06:18:37 -05:00
|
|
|
The 'GitLab Importer' feature is also using the OAuth protocol to give access
|
|
|
|
to repositories without sharing user credentials to your GitLab.com account.
|
2015-02-13 11:17:08 -05:00
|
|
|
|
2016-02-03 06:18:37 -05:00
|
|
|
GitLab supports two ways of adding a new OAuth2 application to an instance. You
|
2020-01-08 19:07:40 -05:00
|
|
|
can either add an application as a regular user or add it in the Admin Area.
|
2016-02-03 06:18:37 -05:00
|
|
|
What this means is that GitLab can actually have instance-wide and a user-wide
|
|
|
|
applications. There is no difference between them except for the different
|
2019-01-11 10:38:15 -05:00
|
|
|
permission levels they are set (user/admin). The default callback URL is
|
2016-07-14 05:10:15 -04:00
|
|
|
`http://your-gitlab.example.com/users/auth/gitlab/callback`
|
2015-02-13 11:17:08 -05:00
|
|
|
|
2016-02-03 06:18:37 -05:00
|
|
|
## Adding an application through the profile
|
2015-02-13 11:17:08 -05:00
|
|
|
|
2016-02-03 06:18:37 -05:00
|
|
|
In order to add a new application via your profile, navigate to
|
|
|
|
**Profile Settings > Applications** and select **New Application**.
|
2015-02-13 11:17:08 -05:00
|
|
|
|
2016-02-03 06:18:37 -05:00
|
|
|
![New OAuth application](img/oauth_provider_user_wide_applications.png)
|
2015-02-13 11:17:08 -05:00
|
|
|
|
2016-02-03 06:18:37 -05:00
|
|
|
In the application form, enter a **Name** (arbitrary), and make sure to set up
|
|
|
|
correctly the **Redirect URI** which is the URL where users will be sent after
|
|
|
|
they authorize with GitLab.
|
|
|
|
|
|
|
|
![New OAuth application form](img/oauth_provider_application_form.png)
|
|
|
|
|
|
|
|
When you hit **Submit** you will be provided with the application ID and
|
|
|
|
the application secret which you can then use with your application that
|
|
|
|
connects to GitLab.
|
|
|
|
|
|
|
|
![OAuth application ID and secret](img/oauth_provider_application_id_secret.png)
|
|
|
|
|
2020-01-08 19:07:40 -05:00
|
|
|
## OAuth applications in the Admin Area
|
2016-02-03 06:18:37 -05:00
|
|
|
|
|
|
|
To create an application that does not belong to a certain user, you can create
|
2020-01-08 19:07:40 -05:00
|
|
|
it from the Admin Area.
|
2016-02-03 06:18:37 -05:00
|
|
|
|
|
|
|
![OAuth admin_applications](img/oauth_provider_admin_application.png)
|
|
|
|
|
2020-01-08 19:07:40 -05:00
|
|
|
You're also able to mark an application as _trusted_ when creating it through the Admin Area. By doing that,
|
2017-07-24 16:45:12 -04:00
|
|
|
the user authorization step is automatically skipped for this application.
|
|
|
|
|
2016-02-03 06:18:37 -05:00
|
|
|
## Authorized applications
|
|
|
|
|
|
|
|
Every application you authorized to use your GitLab credentials will be shown
|
|
|
|
in the **Authorized applications** section under **Profile Settings > Applications**.
|
|
|
|
|
|
|
|
![Authorized_applications](img/oauth_provider_authorized_application.png)
|
|
|
|
|
2016-12-21 09:39:44 -05:00
|
|
|
GitLab's OAuth applications support scopes, which allow various actions that any given
|
2018-08-08 16:03:36 -04:00
|
|
|
application can perform such as `read_user` and `api`. There are many more scopes
|
|
|
|
available.
|
2016-12-21 09:39:44 -05:00
|
|
|
|
|
|
|
At any time you can revoke any access by just clicking **Revoke**.
|