3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 02:46:30 +02:00
Code Issues Projects Releases Packages Wiki Activity

Update GitLab provider docs (#1591)

Browse source 
* Update GitLab provider docs

Updates GitLab provider docs to reference self-hosted GitLab and provide additional clarity on required scopes.

* precommit fix

Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Brad Jones 2021-02-01 16:48:06 -07:00 committed by GitHub
parent 655951cfa1
commit 2f3c73baf3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 29 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
docs/docs/identity-providers/gitlab.md
View file

@ -19,21 +19,19 @@ This document describes the use of GitLab as an identity provider with Pomerium.
![create an application](./img/gitlab/gitlab-create-applications.png)
3. Add a new application by setting the following parameters:
1. Add a new application by setting the following parameters:
Field | Description
------------ | --------------------------------------------
------------ | ---------------------------------------------------------------------------------
Name | The name of your web app
Redirect URI | `https://${authenticate_service_url}/oauth2/callback`
Scopes | **Must** select the same as **[identity scopes]** option
If no scopes are set, you **must** select **openid**, **api**, **profile** and **email**.
Scopes | `openid` required; `read_api`, `profile`, `email` as necessary for your policies.
Your `Client ID` and `Client Secret` will be displayed like below:
![Gitlab OAuth Client ID and Secret](./img/gitlab/gitlab-credentials.png)
4. Set `Client ID` and `Client Secret` in Pomerium's settings.
1. Set `Client ID` and `Client Secret` in Pomerium's settings.
## Service Account
@ -41,7 +39,6 @@ To use `allowed_groups` in a policy an `idp_service_account` needs to be set in
![Gitlab Personal Access Token](./img/gitlab/gitlab-personal-access-token.png)
The format of the `idp_service_account` for Gitlab is a base64-encoded JSON document:
```json
@ -52,20 +49,35 @@ The format of the `idp_service_account` for Gitlab is a base64-encoded JSON docu
## Pomerium Configuration
Your configuration should look like the following example:
```bash
authenticate_service_url: https://authenticate.localhost.pomerium.io
idp_provider: "gitlab"
idp_client_id: "REDACTED" // gitlab application ID
idp_client_secret: "REDACTED" // gitlab application secret
idp_service_account: "REDACTED" // gitlab service account
```
When a user first uses pomerium to login, they will be presented with an authorization screen similar to the following depending on the scope parameters setup:
![gitlab access authorization screen](./img/gitlab/gitlab-verify-access.png)
Please be aware that [Group ID](https://docs.gitlab.com/ee/api/groups.html#details-of-a-group) will be used to affirm group(s) a user belongs to.
### GitLab.com
Your configuration should look like the following example:
```
authenticate_service_url: https://authenticate.localhost.pomerium.io
idp_provider: "gitlab"
idp_client_id: "REDACTED" // gitlab application ID
idp_client_secret: "REDACTED" // gitlab application secret
idp_service_account: "REDACTED" // gitlab service account, base64 json
```
### Self-Hosted GitLab
Self-hosted CE/EE instances should be configured as a generic OpenID Connect provider:
```
idp_provider: oidc
idp_client_id: "REACTED"
idp_client_secret: "REDACTED"
idp_scopes: openid,email // Intersects with scopes
idp_provider_url: https://gitlab.example.com // Base URL of GitLab instance
idp_service_account: "REDACTED" // gitlab service account, base64 json
```
[identity scopes]: ../../reference/readme.md#identity-provider-scopes