Skip to main content

Gitlab SSO OIDC Setup

Clone Docker Toolkit (Optional)

If not already done clone the docker toolkit repo

git clone https://gitlab.com/D3vbd/docker-toolkit.git ~/docker-toolkit

This will setup the toolkit in the folder ~/docker-toolkit.

We will be using the vault folder.

~/docker-toolkit/vault

Gitlab Application

In your Gitlab Group go to

Settings -> Applications

  1. Create a new application vault

Set the redirect uris.At least 1 is required.

https://localhost:8200/ui/vault/auth/gitlab-oidc/oidc/callback
https://vault.localhost:8200/ui/vault/auth/gitlab-oidc/oidc/callback
https://vault.svc.D3vbd:8200/ui/vault/auth/gitlab-oidc/oidc/callback
  1. Uncheck Confidential

  2. Add Scopes

  • openid
  • email
  • profile

Copy Down the Client ID and Secret

Setup Vars

export GITLABCI_AUTH_PATH="gitlab-oidc" 

# Vault address
export VAULT_ADDR="https://vault.localhost:8200"

## Can add more
export REDIRECT_URI="$VAULT_ADDR/ui/vault/auth/$GITLABCI_AUTH_PATH/oidc/callback"
export LOCALHOST_REDIRECT_URI="https://localhost:8200/ui/vault/auth/$GITLABCI_AUTH_PATH/oidc/callback"
export PROD_REDIRECT_URI="https://vault.svc.d3vbd:8200/ui/vault/auth/$GITLABCI_AUTH_PATH/oidc/callback"

### root token from startup
### or a token if you have enabled a different auth method
export VAULT_TOKEN=""

###### Gitlab Application
export CLIENT_ID=""
export CLIENT_SECRET=""

Enable OIDC

vault auth enable -path=$GITLABCI_AUTH_PATH oidc

vault write auth/$GITLABCI_AUTH_PATH/config \
bound_issuer="https://gitlab.com" \
oidc_discovery_url="https://gitlab.com" \
default_role="admin" \
oidc_client_secret="$CLIENT_SECRET" \
oidc_client_id="$CLIENT_ID"

Create Auth Role

Policy

# Path to admin policiy
vault write sys/policy/admin policy=@./vault/policies/admin.hcl

Role

set the bound claims group to your gitlab group.

I am using all 3 urls for allowed redirects. feel free to change or just use $REDIRECT_URI

vault write  auth/gitlab-oidc/role/admin - <<EOF
{
"user_claim": "email",
"allowed_redirect_uris": [
"$REDIRECT_URI",
"$LOCALHOST_REDIRECT_URI",
"$PROD_REDIRECT_URI"
],
"bound_audiences": "$CLIENT_ID",
"oidc_scopes": "openid,email,profile",
"role_type": "oidc",
"policies": ["default","admin"],
"ttl": "1h",
"bound_claims": { "groups": ["D3vbd"] }
}
EOF

Repeat for adding new roles to the auth method. The admin role should give you full access.

Show on Login

oidc-login

To get this to appear on login, go into the UI and edit the auth methods options.

make sure List method when unauthenticated is checked. Save and re-login.

options