Can't get omniauth-openid-connect provider working.
My goal is to setup a GitLab instance that allows user creation & sign in via an OpenID Connect provider. Starting today with a clean gitlab/gitlab-ce:latest docker container, I spent about 14hrs getting through the following before finally getting stuck:
- Figured out how to run the container and edit the config/gitlab.rb.
- Figured out what all the various omniauth options do and set them appropriately
- omniauth_enabled = true
- omniauth_allow_single_sign_on = true
- omniauth_block_auto_created_users = false
- Configured and tested integration with the 'github' and 'google_oauth2' providers.
- Connected to the running container, installed a new gem (omniauth-openid-connect), and created a new image based on that, which I then ran.
- Tried to achieve a correct config for omniauth-openid-connect, testing against Google (they are an OpenID Connect provider as well).
I've got the OpenID Connect handoff successfully hitting Google's auth endpoint and returning to the callback. Problem is, instead of creating an account and logging me in (as happens with github/google_oauth2), the callback returns 401 and asks me to login.
Relevant sample from the gitlab-rails/production.log:
==> /var/log/gitlab/gitlab-rails/production.log <==
Started GET "/users/auth/google_openid_connect/callback?state=3c24eec02eafcac0ce5fcdb889159f51&code=[FILTERED]&authuser=0&prompt=consent&session_state=bbab9748bf680d2b653fc06ad746aa6a699b7a06..8187" for 127.0.0.1 at 2015-10-11 09:27:55 +0000
Processing by NamespacesController#show as HTML
Parameters: {"state"=>"3c24eec02eafcac0ce5fcdb889159f51", "code"=>"[FILTERED]", "authuser"=>"0", "prompt"=>"consent", "session_state"=>"bbab9748bf680d2b653fc06ad746aa6a699b7a06..8187", "id"=>"users/auth/google_openid_connect/callback"}
Completed 401 Unauthorized in 79ms (ActiveRecord: 6.8ms)
The provider config:
gitlab_rails['omniauth_providers'] = [
{
'name' => 'openid_connect',
'args' => {
'name' => :google_opennid_connect,
'scope' => [:openid, :email],
'response_type' => :code,
'issuer' => 'accounts.google.com',
'client_options' => {
'identifier' => '...',
'secret' => '...',
'redirect_uri' => 'http://code.lvh.me/users/auth/google_openid_connect/callback',
'authorization_endpoint' => 'https://accounts.google.com/o/oauth2/v2/auth',
'token_endpoint' => 'https://www.googleapis.com/oauth2/v4/token',
'userinfo_endpoint' => 'https://www.googleapis.com/oauth2/v3/userinfo',
},
}
},
]
Edited by 🤖 GitLab Bot 🤖