2020-10-29 11:09:12 -04:00
---
2020-11-27 13:09:52 -05:00
stage: Create
group: Ecosystem
2020-11-26 01:09:20 -05:00
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2020-10-29 11:09:12 -04:00
---
2016-02-03 06:18:37 -05:00
# GitLab as OAuth2 authentication service provider
2015-02-18 23:49:19 -05:00
2016-02-03 06:18:37 -05:00
This document is about using GitLab as an OAuth authentication service provider
to sign in to other services.
2015-02-18 23:49:19 -05:00
2019-01-11 10:38:15 -05:00
If you want to use:
2020-05-04 11:09:38 -04:00
- The [OAuth2 ](https://oauth.net/2/ ) protocol to access GitLab resources on user's behalf,
see [OAuth2 provider ](../api/oauth2.md )
2019-01-11 10:38:15 -05:00
- Other OAuth authentication service providers to sign in to
GitLab, see the [OAuth2 client documentation ](omniauth.md ).
- The related API, see [Applications API ](../api/applications.md ).
2015-02-13 11:17:08 -05:00
2016-02-03 06:18:37 -05:00
## Introduction to OAuth
2015-02-13 11:17:08 -05:00
2019-07-08 19:14:29 -04:00
[OAuth ](https://oauth.net/2/ ) provides to client applications a 'secure delegated access' to server
2016-02-03 06:18:37 -05:00
resources on behalf of a resource owner. In fact, OAuth allows an authorization
server to issue access tokens to third-party clients with the approval of the
resource owner, or the end-user.
2015-02-13 11:17:08 -05:00
2016-02-03 06:18:37 -05:00
OAuth is mostly used as a Single Sign-On service (SSO), but you can find a
lot of different uses for this functionality. For example, you can allow users
to sign in to your application with their GitLab.com account, or GitLab.com
can be used for authentication to your GitLab instance
(see [GitLab OmniAuth ](gitlab.md )).
2015-02-13 11:17:08 -05:00
2016-02-03 06:18:37 -05:00
The 'GitLab Importer' feature is also using the OAuth protocol to give access
to repositories without sharing user credentials to your GitLab.com account.
2015-02-13 11:17:08 -05:00
2016-02-03 06:18:37 -05:00
GitLab supports two ways of adding a new OAuth2 application to an instance. You
2020-01-08 19:07:40 -05:00
can either add an application as a regular user or add it in the Admin Area.
2016-02-03 06:18:37 -05:00
What this means is that GitLab can actually have instance-wide and a user-wide
applications. There is no difference between them except for the different
2019-01-11 10:38:15 -05:00
permission levels they are set (user/admin). The default callback URL is
2016-07-14 05:10:15 -04:00
`http://your-gitlab.example.com/users/auth/gitlab/callback`
2015-02-13 11:17:08 -05:00
2016-02-03 06:18:37 -05:00
## Adding an application through the profile
2015-02-13 11:17:08 -05:00
2016-02-03 06:18:37 -05:00
In order to add a new application via your profile, navigate to
**Profile Settings > Applications** and select **New Application** .
2015-02-13 11:17:08 -05:00
2016-02-03 06:18:37 -05:00
![New OAuth application ](img/oauth_provider_user_wide_applications.png )
2015-02-13 11:17:08 -05:00
2016-02-03 06:18:37 -05:00
In the application form, enter a **Name** (arbitrary), and make sure to set up
2020-11-19 13:09:13 -05:00
correctly the **Redirect URI** which is the URL where users are sent after
2016-02-03 06:18:37 -05:00
they authorize with GitLab.
![New OAuth application form ](img/oauth_provider_application_form.png )
2020-11-19 13:09:13 -05:00
When you click **Submit** you are provided with the application ID and
2016-02-03 06:18:37 -05:00
the application secret which you can then use with your application that
connects to GitLab.
![OAuth application ID and secret ](img/oauth_provider_application_id_secret.png )
2020-01-08 19:07:40 -05:00
## OAuth applications in the Admin Area
2016-02-03 06:18:37 -05:00
To create an application that does not belong to a certain user, you can create
2020-01-08 19:07:40 -05:00
it from the Admin Area.
2016-02-03 06:18:37 -05:00
![OAuth admin_applications ](img/oauth_provider_admin_application.png )
2020-01-08 19:07:40 -05:00
You're also able to mark an application as _trusted_ when creating it through the Admin Area. By doing that,
2017-07-24 16:45:12 -04:00
the user authorization step is automatically skipped for this application.
2016-02-03 06:18:37 -05:00
## Authorized applications
2020-11-19 13:09:13 -05:00
Every application you authorized to use your GitLab credentials is shown
2016-02-03 06:18:37 -05:00
in the **Authorized applications** section under **Profile Settings > Applications** .
![Authorized_applications ](img/oauth_provider_authorized_application.png )
2020-12-15 22:09:46 -05:00
The GitLab OAuth applications support scopes, which allow various actions that any given
2018-08-08 16:03:36 -04:00
application can perform such as `read_user` and `api` . There are many more scopes
available.
2016-12-21 09:39:44 -05:00
At any time you can revoke any access by just clicking **Revoke** .