2020-10-29 11:09:12 -04:00
---
2021-08-02 11:08:56 -04:00
stage: Ecosystem
group: Integrations
2020-11-26 01:09:20 -05:00
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2020-10-29 11:09:12 -04:00
---
2021-09-28 05:11:19 -04:00
# Sign into GitLab with (almost) any OAuth2 provider **(FREE SELF)**
2017-02-07 15:43:08 -05:00
2021-01-27 19:09:33 -05:00
The `omniauth-oauth2-generic` gem allows Single Sign-On between GitLab and your own OAuth2 provider
2019-07-08 07:07:07 -04:00
(or any OAuth2 provider compatible with this gem)
2017-02-07 15:43:08 -05:00
This strategy is designed to allow configuration of the simple OmniAuth SSO process outlined below:
1. Strategy directs client to your authorization URL (**configurable**), with specified ID and key
1. OAuth provider handles authentication of request, user, and (optionally) authorization to access user's profile
2017-02-10 11:11:12 -05:00
1. OAuth provider directs client back to GitLab where Strategy handles retrieval of access token
2017-02-07 15:43:08 -05:00
1. Strategy requests user information from a **configurable** "user profile" URL (using the access token)
1. Strategy parses user information from the response, using a **configurable** format
2017-02-10 11:11:12 -05:00
1. GitLab finds or creates the returned user and logs them in
2017-02-07 15:43:08 -05:00
2019-08-22 04:50:31 -04:00
## Limitations of this Strategy
2017-02-07 15:43:08 -05:00
2020-11-19 13:09:13 -05:00
- It can only be used for Single Sign on, and doesn't provide any other access granted by any OAuth provider
2017-02-07 16:32:26 -05:00
(importing projects or users, etc)
2017-02-10 11:11:12 -05:00
- It only supports the Authorization Grant flow (most common for client-server applications, like GitLab)
2017-02-07 15:43:08 -05:00
- It is not able to fetch user information from more than one URL
- It has not been tested with user information formats other than JSON
2020-12-11 01:10:17 -05:00
## Configuration Instructions
2017-02-13 10:57:36 -05:00
2017-02-07 16:32:26 -05:00
1. Register your application in the OAuth2 provider you wish to authenticate with.
2017-02-07 15:43:08 -05:00
2019-07-11 11:21:26 -04:00
The redirect URI you provide when registering the application should be:
2017-02-07 15:43:08 -05:00
2020-03-25 02:07:58 -04:00
```plaintext
2019-07-11 11:21:26 -04:00
http://your-gitlab.host.com/users/auth/oauth2_generic/callback
```
2017-02-07 15:43:08 -05:00
2017-02-07 16:32:26 -05:00
1. You should now be able to get a Client ID and Client Secret.
2020-11-19 13:09:13 -05:00
Where this shows up differs for each provider.
2017-02-07 16:32:26 -05:00
This may also be called Application ID and Secret
2017-02-07 15:43:08 -05:00
2017-02-07 16:32:26 -05:00
1. On your GitLab server, open the configuration file.
2017-02-07 15:43:08 -05:00
2019-07-11 11:21:26 -04:00
For Omnibus package:
2017-02-07 15:43:08 -05:00
2020-01-30 10:09:15 -05:00
```shell
2019-07-11 11:21:26 -04:00
sudo editor /etc/gitlab/gitlab.rb
```
2017-02-07 15:43:08 -05:00
2019-07-11 11:21:26 -04:00
For installations from source:
2017-02-07 15:43:08 -05:00
2020-01-30 10:09:15 -05:00
```shell
2019-07-11 11:21:26 -04:00
cd /home/git/gitlab
sudo -u git -H editor config/gitlab.yml
```
2017-02-07 15:43:08 -05:00
2021-11-09 13:13:13 -05:00
1. See [Configure initial settings ](omniauth.md#configure-initial-settings ) for initial settings
2017-02-07 15:43:08 -05:00
2021-11-12 04:10:03 -05:00
1. Add the provider-specific configuration for your provider, for example:
```ruby
gitlab_rails['omniauth_providers'] = [
2021-11-19 04:13:48 -05:00
{
name: "oauth2_generic",
label: "Provider name", # optional label for login button, defaults to "Oauth2 Generic"
app_id: "< your_app_client_id > ",
app_secret: "< your_app_client_secret > ",
args: {
2021-11-12 04:10:03 -05:00
client_options: {
2021-11-19 04:13:48 -05:00
site: "< your_auth_server_url > ",
user_info_url: "/oauth2/v1/userinfo",
authorize_url: "/oauth2/v1/authorize",
token_url: "/oauth2/v1/token"
},
user_response_structure: {
root_path: [],
id_path: ["sub"],
attributes: {
email: "email",
name: "name"
}
},
authorize_params: {
scope: "openid profile email"
},
strategy_class: "OmniAuth::Strategies::OAuth2Generic"
2021-11-12 04:10:03 -05:00
}
}
]
```
For more information about these settings, see [the gem's README ](https://gitlab.com/satorix/omniauth-oauth2-generic#gitlab-config-example ).
2017-02-07 15:43:08 -05:00
2017-02-07 16:32:26 -05:00
1. Save the configuration file
2017-02-07 15:43:08 -05:00
2017-02-07 16:32:26 -05:00
1. Restart GitLab for the changes to take effect
2017-02-07 15:43:08 -05:00
2019-07-08 07:07:07 -04:00
On the sign in page there should now be a new button below the regular sign in form.
2020-11-19 13:09:13 -05:00
Click the button to begin your provider's authentication process. This directs
2017-02-07 16:32:26 -05:00
the browser to your OAuth2 Provider's authentication page. If everything goes well
2020-11-19 13:09:13 -05:00
the user is returned to your GitLab instance and is signed in.