3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-06 10:21:05 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/docs/docs/identity-providers/gitlab.md
Brad Jones 2f3c73baf3
Update GitLab provider docs (#1591) 
* Update GitLab provider docs

Updates GitLab provider docs to reference self-hosted GitLab and provide additional clarity on required scopes.

* precommit fix

Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>
2021-02-01 15:48:06 -08:00

2.9 KiB
Raw Blame History

title lang sidebarDepth meta
GitLab en-US 0
name content
keywords gitlab oidc openid-connect identity-provider

GitLab

This document describes the use of GitLab as an identity provider with Pomerium.

Setting up GitLab OAuth2 for your Application

  1. Log in to your GitLab account or create one here.

  2. Go to the user settings which can be found in the user profile to create an application like below:

create an application

  1. Add a new application by setting the following parameters:
Field Description
Name The name of your web app
Redirect URI https://${authenticate_service_url}/oauth2/callback
Scopes openid required; read_api, profile, email as necessary for your policies.

Your Client ID and Client Secret will be displayed like below:

Gitlab OAuth Client ID and Secret

  1. Set Client ID and Client Secret in Pomerium's settings.

Service Account

To use allowed_groups in a policy an idp_service_account needs to be set in the Pomerium configuration. The service account for Gitlab uses a personal access token generated at: gitlab.com/profile/personal_access_tokens with read_api access:

Gitlab Personal Access Token

The format of the idp_service_account for Gitlab is a base64-encoded JSON document:

{
  "private_token": "..."
}

Pomerium Configuration

When a user first uses pomerium to login, they will be presented with an authorization screen similar to the following depending on the scope parameters setup:

gitlab access authorization screen

Please be aware that Group ID will be used to affirm group(s) a user belongs to.

GitLab.com

Your configuration should look like the following example:

authenticate_service_url: https://authenticate.localhost.pomerium.io
idp_provider: "gitlab"
idp_client_id: "REDACTED"   // gitlab application ID
idp_client_secret: "REDACTED"   // gitlab application secret
idp_service_account: "REDACTED"   // gitlab service account, base64 json

Self-Hosted GitLab

Self-hosted CE/EE instances should be configured as a generic OpenID Connect provider:

idp_provider: oidc
idp_client_id: "REACTED"
idp_client_secret: "REDACTED"
idp_scopes: openid,email // Intersects with scopes
idp_provider_url: https://gitlab.example.com // Base URL of GitLab instance
idp_service_account: "REDACTED"   // gitlab service account, base64 json