OIDC统一登录接入之gitlab

发表于 更新于 阅读次数: 阅读次数:

背景

在之前做很多的准备工作去搭建OIDC标准,就是为了通过此标准去对接三方系统,这一次我们尝试一下gitlab使用openid connect标准的SSO
搭建过程可查看:OIDC搭建之Ory Hydar 2.0实践

实践

omniauth文档

编辑gitlab.rb文件

OIDC标准,很多填写内容可在 {{baseUrl}}/.well-known/openid-configuration 查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
gitlab_rails['omniauth_enabled'] = true # 开启omniauth
gitlab_rails['omniauth_allow_single_sign_on'] = true # 此处值为true的话,当gitlab不存在该用户时会自动在gitlab中创建用户
gitlab_rails['omniauth_block_auto_created_users'] = false # 是否禁用自动创建的gitlab用户 ,为false则表示自动创建的用户不禁用。为true时则表示禁用,需要gitlab管理员手动解除禁用
gitlab_rails['omniauth_auto_link_user'] = true # 是否自动关联已经存在的gitlab账号


gitlab_rails['omniauth_providers'] = [
  {
    'name' => 'oauth2_generic', 
    'app_id' => 'faff0a71-45d5-4636-a91c-ff637888745c', # oauth2的app_id 由sso服务进行分配
    'app_secret' => 'TsittyC1.nr4LcBjf8p9ud2E0H', # oauth2的app_secret 由sso服务进行分配
    'args' => {
      client_options: {
        'site' => 'https://api.junyao.com/hydra', # sso的地址
        'authorize_url' => '/oauth2/auth', # 认证URL
        'token_url' => '/oauth2/token', # 获取token的URL
        'user_info_url' => '/userinfo' # 获取用户信息的URL
      },
      user_response_structure: {
        root_path: [], # i.e. if attributes are returned in JsonAPI format (in a 'user' node nested under a 'data' node)
        id_path: ['uid'], # 此处的用户信息如何配置 我会在下面详细说明
        attributes: { name: 'username', nickname: 'nickname',email:'email'} # 此处的用户信息如何配置 我会在下面详细说明
      # optionally, you can add the following two lines to "white label" the display name
      # of this strategy (appears in urls and Gitlab login buttons)
      # If you do this, you must also replace oauth2_generic, everywhere it appears above, with the new name. 
      name: 'SSO', # 此处的属性值会在登陆处,以及设置identitifier时使用到,建议英文(不支持中文)
      strategy_class: "OmniAuth::Strategies::OAuth2Generic" # Devise-specific config option Gitlab uses to find renamed strategy
    }
  }
]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
gitlab_rails['omniauth_providers'] = [
  { 'name' => 'openid_connect',
    'label' => 'Authing',
    'args' => {
      'name' => 'openid_connect',
      'scope' => ['openid','profile','email','phone'],
      'response_type' => 'code',
      'issuer': '<oidc_issuer>',
      'discovery' => true,
      'client_auth_method' => 'basic',
      'uid_field' => 'sub',
      'client_options' => {
        'identifier' => '<oidc_identifier>',
        'secret' => '<oidc_secret>',
        'redirect_uri' => '<your_gitlab_url>/users/auth/openid_connect/callback'
      }
    }
  }
]
1
sudo gitlab-ctl reconfigure

配置说明

user_response_structure
此处的配置是映射你的sso服务 user_info_url接口返回的用户信息。 如果你的用户信息接口返回的结构为

1
2
3
4
5
6
7
8
9
{
  "code":200,
  "data":{
	  "uid":1,
	  "username":"zhangsan",
	  "nickname":"张三",
	  "email":"zhangsan@junyao.com"
  }
}

那么 root_path 可以不用配置
id_path建议配置成用户的唯一标识

更多详细注释请参考gitlab官网:omniauth-oauth2-generic

相关

使用 Authing 单点登录 GitLab