Geo - Static redirect_uri for OIDC SSO
Summary
When OIDC is used for SSO on a Geo instance with split URLs (separate domains per instance), the OIDC redirect_uri is always set to the primary instance so there is no way to log into the secondary instance.
Steps to reproduce
- Set up a GitLab installation in two environments, one geo primary and one geo secondary, with split URLs
- Configure authentication in the primary for OIDC against e.g. Keycloak
- Navigate to the secondary instance. You will be redirected to the OIDC provider to authenticate. If you care to, use developer tools to observe the redirect - the redirect_uri in the OIDC redirect will be the domain of the primary even though you were attempting to log into the secondary.
- After authentication, the OIDC provider will redirect you to the primary instance. You will not be logged in to the secondary.
- This appears to be because the OIDC redirect_uri must be configured to a static value, so users will always be redirected to the same instance by the OIDC provider.
- I'm not sure if the cookie scope or another issue prevents the OIDC session being valid for the secondary, but once authenticated to the primary this way the secondary will still redirect to the OIDC provider.
What is the current bug behavior?
In a split-URL geo setup using OIDC, it is impossible to log into the secondary.
What is the expected correct behavior?
How exactly this should work probably depends on details of the OIDC protocol. For SAML, documentation says to leave the assertion_consumer_service_url unconfigured which will result in each Geo instance generating its own ACS URL. For OIDC, the redirect_uri is mandatory and there is no apparent way to have it differ on different instances.
Results of GitLab environment info
This issue is occurring on 15.5.4 but documentation doesn't show a way to solve the same problem on newer versions.