debian-mirror-gitlab/doc/integration/gitlab.md

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

140 lines
5.5 KiB
Markdown
Raw Normal View History

2021-01-29 00:20:46 +05:30
---
2022-07-16 23:28:13 +05:30
stage: Manage
group: Authentication and Authorization
2022-11-25 23:54:43 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2021-01-29 00:20:46 +05:30
---
2021-11-18 22:05:49 +05:30
# Integrate your server with GitLab.com **(FREE SELF)**
2015-04-26 12:48:37 +05:30
Import projects from GitLab.com and login to your GitLab instance with your GitLab.com account.
2017-08-17 22:00:37 +05:30
To enable the GitLab.com OmniAuth provider you must register your application with GitLab.com.
2021-02-22 17:27:13 +05:30
GitLab.com generates an application ID and secret key for you to use.
2015-04-26 12:48:37 +05:30
2021-03-11 19:13:27 +05:30
1. Sign in to GitLab.com.
2023-04-23 21:23:45 +05:30
1. In the upper-right corner, select your avatar.
2021-03-11 19:13:27 +05:30
1. Select **Edit profile**.
2021-11-11 11:23:49 +05:30
1. On the left sidebar, select **Applications**.
2019-09-30 21:07:59 +05:30
1. Provide the required details for **Add new application**.
- Name: This can be anything. Consider something like `<Organization>'s GitLab` or `<Your Name>'s GitLab` or something else descriptive.
- Redirect URI:
2015-04-26 12:48:37 +05:30
2023-01-13 00:05:48 +05:30
```plaintext
# You can also use a non-SSL URL, but you should use SSL URLs.
https://your-gitlab.example.com/import/gitlab/callback
https://your-gitlab.example.com/users/auth/gitlab/callback
```
2015-04-26 12:48:37 +05:30
2022-04-04 11:22:00 +05:30
The first link is required for the importer and second for authentication.
If you:
- Plan to use the importer, you can leave scopes as they are.
- Only want to use this application for authentication, we recommend using a more minimal set of scopes. `read_user` is sufficient.
2015-04-26 12:48:37 +05:30
2019-09-30 21:07:59 +05:30
1. Select **Save application**.
2020-05-24 23:13:21 +05:30
1. You should now see an **Application ID** and **Secret**. Keep this page open as you continue
configuration.
2019-09-30 21:07:59 +05:30
1. On your GitLab server, open the configuration file.
2015-04-26 12:48:37 +05:30
2019-12-04 20:38:33 +05:30
For Omnibus package:
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
```shell
2019-09-30 21:07:59 +05:30
sudo editor /etc/gitlab/gitlab.rb
```
2015-04-26 12:48:37 +05:30
2019-09-30 21:07:59 +05:30
For installations from source:
2015-04-26 12:48:37 +05:30
2020-03-13 15:44:24 +05:30
```shell
2019-09-30 21:07:59 +05:30
cd /home/git/gitlab
2015-04-26 12:48:37 +05:30
2019-09-30 21:07:59 +05:30
sudo -u git -H editor config/gitlab.yml
```
2015-04-26 12:48:37 +05:30
2023-06-20 00:43:36 +05:30
1. Configure the [common settings](omniauth.md#configure-common-settings)
2023-04-23 21:23:45 +05:30
to add `gitlab` as a single sign-on provider. This enables Just-In-Time
account provisioning for users who do not have an existing GitLab account.
2019-09-30 21:07:59 +05:30
1. Add the provider configuration:
2015-04-26 12:48:37 +05:30
2021-11-18 22:05:49 +05:30
For Omnibus installations authenticating against **GitLab.com**:
2015-04-26 12:48:37 +05:30
2019-09-30 21:07:59 +05:30
```ruby
gitlab_rails['omniauth_providers'] = [
{
2022-01-26 12:08:38 +05:30
name: "gitlab",
# label: "Provider name", # optional label for login button, defaults to "GitLab.com"
app_id: "YOUR_APP_ID",
app_secret: "YOUR_APP_SECRET",
2022-05-07 20:08:51 +05:30
args: { scope: "read_user" } # optional: defaults to the scopes of the application
2019-09-30 21:07:59 +05:30
}
]
```
2015-04-26 12:48:37 +05:30
2021-11-18 22:05:49 +05:30
Or, for Omnibus installations authenticating against a different GitLab instance:
```ruby
gitlab_rails['omniauth_providers'] = [
{
2022-01-26 12:08:38 +05:30
name: "gitlab",
label: "Provider name", # optional label for login button, defaults to "GitLab.com"
app_id: "YOUR_APP_ID",
app_secret: "YOUR_APP_SECRET",
2023-03-17 16:20:25 +05:30
args: { scope: "read_user", # optional: defaults to the scopes of the application
client_options: { site: "https://gitlab.example.com" } }
2021-11-18 22:05:49 +05:30
}
]
```
For installations from source authenticating against **GitLab.com**:
2015-04-26 12:48:37 +05:30
2020-04-22 19:07:51 +05:30
```yaml
2021-01-03 14:25:43 +05:30
- { name: 'gitlab',
2022-01-26 12:08:38 +05:30
# label: 'Provider name', # optional label for login button, defaults to "GitLab.com"
2021-01-03 14:25:43 +05:30
app_id: 'YOUR_APP_ID',
app_secret: 'YOUR_APP_SECRET',
2019-09-30 21:07:59 +05:30
```
2015-04-26 12:48:37 +05:30
2021-11-18 22:05:49 +05:30
Or, for installations from source to authenticate against a different GitLab instance:
```yaml
- { name: 'gitlab',
2022-01-26 12:08:38 +05:30
label: 'Provider name', # optional label for login button, defaults to "GitLab.com"
2021-11-18 22:05:49 +05:30
app_id: 'YOUR_APP_ID',
app_secret: 'YOUR_APP_SECRET',
2022-08-27 11:52:29 +05:30
args: { "client_options": { "site": 'https://gitlab.example.com' } }
2021-11-18 22:05:49 +05:30
```
2022-08-27 11:52:29 +05:30
NOTE:
In GitLab 15.1 and earlier, the `site` parameter requires an `/api/v4` suffix.
We recommend you drop this suffix after you upgrade to GitLab 15.2 or later.
2021-03-08 18:12:59 +05:30
1. Change `'YOUR_APP_ID'` to the Application ID from the GitLab.com application page.
1. Change `'YOUR_APP_SECRET'` to the secret from the GitLab.com application page.
2019-09-30 21:07:59 +05:30
1. Save the configuration file.
2021-03-08 18:12:59 +05:30
1. Based on how GitLab was installed, implement these changes by using
the appropriate method:
2021-03-11 19:13:27 +05:30
- Omnibus GitLab: [reconfigure GitLab](../administration/restart_gitlab.md#omnibus-gitlab-reconfigure).
- Source: [restart GitLab](../administration/restart_gitlab.md#installations-from-source).
2021-03-08 18:12:59 +05:30
On the sign-in page, there should now be a GitLab.com icon following the
regular sign-in form. Select the icon to begin the authentication process.
GitLab.com asks the user to sign in and authorize the GitLab application. If
everything goes well, the user is returned to your GitLab instance and is
signed in.
2022-04-04 11:22:00 +05:30
## Reduce access privileges on sign in
2022-08-13 15:12:31 +05:30
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/337663) in GitLab 14.8 [with a flag](../administration/feature_flags.md) named `omniauth_login_minimal_scopes`. Disabled by default.
> - [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/351331) in GitLab 14.9.
> - [Feature flag `omniauth_login_minimal_scopes`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83453) removed in GitLab 15.2
2022-04-04 11:22:00 +05:30
2022-05-07 20:08:51 +05:30
If you use a GitLab instance for authentication, you can reduce access rights when an OAuth application is used for sign in.
2022-04-04 11:22:00 +05:30
Any OAuth application can advertise the purpose of the application with the
authorization parameter: `gl_auth_type=login`. If the application is
configured with `api` or `read_api`, the access token is issued with
`read_user` for login, because no higher permissions are needed.
The GitLab OAuth client is configured to pass this parameter, but other
applications can also pass it.