Add ChatGPT OAuth provider
What does this MR do and why?
https://gitlab.com/gitlab-org/developer-relations/contributor-success/team-task/-/issues/1211
Adds ChatGPT as an OmniAuth OAuth2 provider, allowing users to sign in to GitLab using their OpenAI/ChatGPT account.
This includes:
- A custom OmniAuth strategy (
OmniAuth::Strategies::Chatgpt) implementing OAuth2 + PKCE against OpenAI's auth endpoints - User identity is extracted from the OIDC
id_tokenJWT payload (thesub,name,email, andemail_verifiedclaims) - Sign-in button icon for the ChatGPT provider
- Provider label mapping (
chatgpt→ChatGPT) - Example configuration in
gitlab.yml.example
Configuration
Admins can enable the provider by adding the following to their OmniAuth configuration:
omniauth:
providers:
- { name: 'chatgpt',
app_id: 'YOUR_APP_ID',
app_secret: 'YOUR_APP_SECRET' }The provider supports auto_link_user (matching existing users by email) and allow_single_sign_on (auto-creating new accounts) as with other OAuth providers.
References
Screenshots or screen recordings
How to set up and validate locally
- Add the ChatGPT provider to your
config/gitlab.ymlunderdevelopment.omniauth.providers:development: omniauth: providers: - { name: 'chatgpt', app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET' } - Obtain the client_id and client_secret from the Engineering 1Password Vault:
ChatGPT Dev OAuth Application - Restart GDK
- Visit the sign-in page and click the ChatGPT sign-in button
- Authenticate with your OpenAI account
- Verify you are signed in to GitLab
Test auto-linking, by setting auto_link_user: true at the omniauth: level and ensure a GitLab user exists with the same email as your OpenAI account.
Test SSO by setting allow_single_sign_on: ['chatgpt'] at the omniauth: level and make sure a user DOES NOT exist with the same email as your OpenAI account.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.