openid connect with keycloak cause 500 error
I am running gitlab/gitlab-ce:13.0.0-ce.0 in kubernetes. My configuration:
external_url 'http://gitlab.xxx.com/'
gitlab_rails['gitlab_default_theme'] = 2
gitlab_rails['gitlab_default_projects_features_wiki'] = false
gitlab_rails['gitlab_default_projects_features_container_registry'] = false
gitlab_rails['time_zone'] = 'Asia/Shanghai'
prometheus['enable'] = false
grafana['enable'] = false
gitlab_rails['omniauth_sync_email_from_provider'] = 'Keycloak'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['Keycloak']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
gitlab_rails['omniauth_allow_single_sign_on'] = ['Keycloak']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'Keycloak'
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_external_providers'] = ['Keycloak']
# https://docs.gitlab.com/ee/administration/auth/oidc.html
gitlab_rails['omniauth_providers'] = [
{ 'name' => 'Keycloak',
'label' => 'Keycloak',
'args' => {
'name' => 'openid_connect',
'scope' => ['openid','profile'],
'response_type' => 'code',
'issuer' => 'http://keycloak.xxx.com/auth/realms/bgzchina',
'discovery' => true,
'client_auth_method' => 'query',
'uid_field' => 'preferred_username',
'send_scope_to_token_endpoint' => 'false',
'client_options' => {
'identifier' => 'gitlab',
'secret' => '996efd19-96f0-42a2-b74f-df7482a137ee',
'redirect_uri' => 'http://gitlab.xxx.com/users/auth/openid_connect/callback'
}
}
}
]
When I try to login through openid_connect, get a 500 error. The server error log:
Started GET "/users/sign_in" for 172.31.63.133 at 2020-06-29 13:39:47 +0000
Processing by SessionsController#new as HTML
Completed 500 Internal Server Error in 2301ms (ActiveRecord: 7.3ms | Elasticsearch: 0.0ms | Allocations: 131778)
NoMethodError (undefined method `user_Keycloak_omniauth_authorize_path' for #<ActionDispatch::Routing::RoutesProxy:0x00007fe0eec30920>):
app/controllers/sessions_controller.rb:251:in `auto_sign_in_with_provider'
app/controllers/application_controller.rb:496:in `set_current_admin'
lib/gitlab/session.rb:11:in `with_session'
app/controllers/application_controller.rb:487:in `set_session_storage'
lib/gitlab/i18n.rb:55:in `with_locale'
lib/gitlab/i18n.rb:61:in `with_user_locale'
app/controllers/application_controller.rb:481:in `set_locale'
lib/gitlab/error_tracking.rb:48:in `with_context'
app/controllers/application_controller.rb:546:in `sentry_context'
app/controllers/application_controller.rb:474:in `block in set_current_context'
lib/gitlab/application_context.rb:52:in `block in use'
lib/gitlab/application_context.rb:52:in `use'
lib/gitlab/application_context.rb:20:in `with_context'
app/controllers/application_controller.rb:467:in `set_current_context'
lib/gitlab/middleware/rails_queue_duration.rb:29:in `call'
lib/gitlab/metrics/rack_middleware.rb:17:in `block in call'
lib/gitlab/metrics/transaction.rb:56:in `run'
lib/gitlab/metrics/rack_middleware.rb:17:in `call'
lib/gitlab/request_profiler/middleware.rb:17:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:13:in `call'
lib/gitlab/middleware/multipart.rb:125:in `call'
lib/gitlab/middleware/read_only/controller.rb:51:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/same_site_cookies.rb:27:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/middleware/request_context.rb:23:in `call'
config/initializers/fix_local_cache_middleware.rb:9:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:60:in `call'
lib/gitlab/middleware/release_env.rb:12:in `call'
if I comment out gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'Keycloak'
,below error comes out when login:
Signing in using your Openid Connect account without a pre-existing GitLab account is not allowed. Create a GitLab account first, and then connect it to your Openid Connect account.
according to the doc:
allow_single_sign_on allows you to specify the providers you want to allow to automatically create an account. It defaults to false. If false users must be created manually or they will not be able to sign in via OmniAuth.
I already sepecified allow_single_sign_on
, why account is not created?
What I want to achive is, only create users in keycloak, when sign in through keycloak, a user should be created in gitlab automaticaly, and that user can automaticaly sign in to gitlab if a keycloak session already established.
so, what's wrong with my configuration ? please help.