OpenIdConnect with Azure Entra ID (Azure Active Directory) Not Working

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

After migrating to GitLab 17.0.1 from 16.11.0, we've found out that the old OAuth Active Directory authentication was deprecated and as per the documentation, we've migrated to the newer OpenIdConnect Gem.

Steps to reproduce

• Change configuration in gitlab.rb like follows :

### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ee/integration/omniauth.html
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect_2fa']
# gitlab_rails['omniauth_sync_email_from_provider'] = 'saml'
# gitlab_rails['omniauth_sync_profile_from_provider'] = ['saml']
# gitlab_rails['omniauth_sync_profile_attributes'] = ['email']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
gitlab_rails['omniauth_block_auto_created_users'] = false
# gitlab_rails['omniauth_auto_link_ldap_user'] = false
# gitlab_rails['omniauth_auto_link_saml_user'] = false
# gitlab_rails['omniauth_auto_link_user'] = ['saml']
# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
# gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']
gitlab_rails['omniauth_providers'] = [
  {
    "name" => "openid_connect_2fa",
    "label" => "Entra ID",
    "icon" => "https://upload.wikimedia.org/wikipedia/commons/8/8c/Microsoft_Entra_ID_color_icon.svg",
    "args" => {
      "name" => "openid_connect_2fa",
      "strategy_class" => "OmniAuth::Strategies::OpenIDConnect",
      "scope" => ["openid","profile","email"],
      "response_type" => "code",
      "issuer" => "https://login.microsoftonline.com/<TENANT_ID>/v2.0",
      "discovery" => true,
      "client_auth_method" => "query",
      "uid_field" => "preferred_username",
      "send_scope_to_token_endpoint" => "false",
      "pkce" => true,
      "client_options" => {
        "identifier" => "<CLIENT_ID>",
        "secret" => "<CLIENT_SECRET>",
        "redirect_uri" => "https://<DOMAIN>/users/auth/azure_oauth2/callback"
      }
    }
  }
]

What is the current bug behavior?

Users cannot login to GitLab

What is the expected correct behavior?

Users should be logged-in.

Relevant logs and/or screenshots

Results of GitLab environment info

Expand for output related to GitLab environment info

System information
System:         Ubuntu 20.04
Proxy:          no
Current User:   git
Using RVM:      no
Ruby Version:   3.1.5p253
Gem Version:    3.5.9
Bundler Version:2.5.9
Rake Version:   13.0.6
Redis Version:  7.0.15
Sidekiq Version:7.1.6
Go Version:     unknown

GitLab information
Version:        17.0.1-ee
Revision:       cf71f280df3
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     14.11
URL:            XXX
HTTP Clone URL: XXX
SSH Clone URL:  XXX
Elasticsearch:  no
Geo:            no
Using LDAP:     no
Using Omniauth: yes
Omniauth Providers: openid_connect_2fa, gitlab

GitLab Shell
Version:        14.35.0
Repository storages:
- default:      unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell

Gitaly
- default Address:      unix:/var/opt/gitlab/gitaly/gitaly.socket
- default Version:      17.0.1
- default Git Version:  2.44.1.gl1

Results of GitLab application Check

Expand for output related to the GitLab application check

Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 14.35.0 ? ... OK (14.35.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Database config exists? ... yes
Tables are truncated? ... skipped
All migrations up? ...
yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Cable config exists? ... yes
Resque config exists? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Projects have namespace: ...
2/1 ... yes
8/3 ... yes
8/4 ... yes
8/5 ... yes
8/6 ... yes
23/7 ... yes
40/8 ... yes
25/9 ... yes
26/14 ... yes
22/15 ... yes
27/16 ... yes
30/17 ... yes
30/19 ... yes
30/20 ... yes
30/21 ... yes
30/23 ... yes
30/24 ... yes
8/25 ... yes
8/26 ... yes
8/27 ... yes
8/28 ... yes
8/29 ... yes
8/30 ... yes
8/31 ... yes
8/32 ... yes
8/33 ... yes
8/34 ... yes
34/35 ... yes
35/36 ... yes
37/37 ... yes
37/38 ... yes
37/39 ... yes
37/40 ... yes
38/41 ... yes
38/42 ... yes
35/43 ... yes
36/44 ... yes
35/45 ... yes
44/46 ... yes
35/47 ... yes
8/48 ... yes
49/49 ... yes
49/50 ... yes
25/51 ... yes
53/53 ... yes
25/54 ... yes
36/55 ... yes
53/56 ... yes
53/57 ... yes
67/59 ... yes
70/60 ... yes
8/63 ... yes
38/64 ... yes
53/65 ... yes
8/66 ... yes
143/67 ... yes
149/68 ... yes
151/69 ... yes
153/70 ... yes
151/71 ... yes
38/72 ... yes
160/73 ... yes
160/74 ... yes
160/75 ... yes
160/76 ... yes
165/77 ... yes
160/78 ... yes
25/79 ... yes
35/80 ... yes
36/81 ... yes
36/82 ... yes
172/84 ... yes
36/85 ... yes
178/86 ... yes
180/87 ... yes
180/88 ... yes
180/89 ... yes
35/90 ... yes
185/91 ... yes
160/92 ... yes
37/93 ... yes
193/95 ... yes
37/96 ... yes
196/97 ... yes
8/98 ... yes
203/99 ... yes
190/100 ... yes
196/101 ... yes
196/102 ... yes
209/103 ... yes
34/104 ... yes
214/105 ... yes
203/106 ... yes
8/107 ... yes
8/108 ... yes
226/111 ... yes
226/112 ... yes
226/113 ... yes
8/114 ... yes
8/115 ... yes
236/116 ... yes
236/117 ... yes
236/118 ... yes
236/119 ... yes
236/120 ... yes
196/121 ... yes
244/123 ... yes
246/124 ... yes
246/125 ... yes
246/126 ... yes
246/127 ... yes
4/128 ... yes
8/130 ... yes
196/131 ... yes
196/133 ... yes
268/134 ... yes
292/136 ... yes
292/137 ... yes
282/138 ... yes
292/139 ... yes
292/140 ... yes
8/141 ... yes
291/143 ... yes
300/144 ... yes
246/145 ... yes
293/147 ... yes
264/148 ... yes
311/149 ... yes
322/150 ... yes
8/151 ... yes
319/152 ... yes
322/153 ... yes
35/154 ... yes
8/155 ... yes
319/156 ... yes
244/157 ... yes
334/158 ... yes
336/160 ... yes
8/161 ... yes
340/162 ... yes
246/163 ... yes
292/164 ... yes
292/165 ... yes
332/166 ... yes
332/167 ... yes
292/168 ... yes
332/169 ... yes
351/170 ... yes
354/171 ... yes
244/172 ... yes
Redis version >= 6.2.14? ... yes
Ruby version >= 3.0.6 ? ... yes (3.1.5)
Git user has default SSH configuration? ... yes
Active users: ... 96
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... skipped (Advanced Search is disabled)
All migrations must be finished before doing a major upgrade ... skipped (Advanced Search is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished