8.4 KiB
stage | group | info |
---|---|---|
Manage | Authentication and Authorization | To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments |
Use GitHub as an authentication provider (FREE SELF)
You can integrate your GitLab instance with GitHub.com and GitHub Enterprise. You can import projects from GitHub, or sign in to GitLab with your GitHub credentials.
Create an OAuth app in GitHub
To enable the GitHub OmniAuth provider, you need an OAuth 2.0 client ID and client secret from GitHub:
- Sign in to GitHub.
- Create an OAuth App
and provide the following information:
- The URL of your GitLab instance, such as
https://gitlab.example.com
. - The authorization callback URL, such as,
https://gitlab.example.com/users/auth
. Include the port number if your GitLab instance uses a non-default port.
- The URL of your GitLab instance, such as
Check for security vulnerabilities
For some integrations, the OAuth 2 covert redirect
vulnerability can compromise GitLab accounts.
To mitigate this vulnerability, append /users/auth
to the authorization
callback URL.
However, as far as we know, GitHub does not validate the subdomain part of the redirect_uri
.
Therefore, a subdomain takeover, an XSS, or an open redirect on any subdomain of
your website could enable the covert redirect attack.
Enable GitHub OAuth in GitLab
-
Edit the common configuration file settings to add
github
as a single sign-on provider. This enables Just-In-Time account provisioning for users who do not have an existing GitLab account. -
Edit the GitLab configuration file using the following information:
GitHub setting Value in the GitLab configuration file Description Client ID YOUR_APP_ID
OAuth 2.0 client ID Client secret YOUR_APP_SECRET
OAuth 2.0 client secret URL https://github.example.com/
GitHub deployment URL -
For Omnibus installations
-
Open the
/etc/gitlab/gitlab.rb
file.For GitHub.com, update the following section:
gitlab_rails['omniauth_providers'] = [ { name: "github", # label: "Provider name", # optional label for login button, defaults to "GitHub" app_id: "YOUR_APP_ID", app_secret: "YOUR_APP_SECRET", args: { scope: "user:email" } } ]
For GitHub Enterprise, update the following section and replace
https://github.example.com/
with your GitHub URL:gitlab_rails['omniauth_providers'] = [ { name: "github", # label: "Provider name", # optional label for login button, defaults to "GitHub" app_id: "YOUR_APP_ID", app_secret: "YOUR_APP_SECRET", url: "https://github.example.com/", args: { scope: "user:email" } } ]
-
Save the file and reconfigure GitLab.
-
-
For installations from source
-
Open the
config/gitlab.yml
file.For GitHub.com, update the following section:
- { name: 'github', # label: 'Provider name', # optional label for login button, defaults to "GitHub" app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET', args: { scope: 'user:email' } }
For GitHub Enterprise, update the following section and replace
https://github.example.com/
with your GitHub URL:- { name: 'github', # label: 'Provider name', # optional label for login button, defaults to "GitHub" app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET', url: "https://github.example.com/", args: { scope: 'user:email' } }
-
Save the file and restart GitLab.
-
-
-
Refresh the GitLab sign-in page. A GitHub icon should display below the sign-in form.
-
Select the icon. Sign in to GitHub and authorize the GitLab application.
Troubleshooting
Imports from GitHub Enterprise with a self-signed certificate fail
When you import projects from GitHub Enterprise using a self-signed certificate, the imports fail.
To fix this issue, you must disable SSL verification:
-
Set
verify_ssl
tofalse
in the configuration file.-
For Omnibus installations
gitlab_rails['omniauth_providers'] = [ { name: "github", # label: "Provider name", # optional label for login button, defaults to "GitHub" app_id: "YOUR_APP_ID", app_secret: "YOUR_APP_SECRET", url: "https://github.example.com/", verify_ssl: false, args: { scope: "user:email" } } ]
-
For installations from source
- { name: 'github', # label: 'Provider name', # optional label for login button, defaults to "GitHub" app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET', url: "https://github.example.com/", verify_ssl: false, args: { scope: 'user:email' } }
-
-
Change the global Git
sslVerify
option tofalse
on the GitLab server.-
For Omnibus installations in GitLab 15.3 and later:
gitaly['gitconfig'] = [ {key: "http.sslVerify", value: "false"}, ]
-
For Omnibus installations in GitLab 15.2 and earlier (legacy method):
omnibus_gitconfig['system'] = { "http" => ["sslVerify = false"] }
-
For installations from source in GitLab 15.3 and later, edit the Gitaly configuration (
gitaly.toml
):[[git.config]] key = "http.sslVerify" value = "false"
-
For installations from source in GitLab 15.2 and earlier (legacy method):
git config --global http.sslVerify false
-
-
Reconfigure GitLab if you installed using Omnibus, or restart GitLab if you installed from source.
Signing in using GitHub Enterprise returns a 500 error
This error can occur because of a network connectivity issue between your GitLab instance and GitHub Enterprise.
To check for a connectivity issue:
-
Go to the
production.log
on your GitLab server and look for the following error:Faraday::ConnectionFailed (execution expired)
-
Start the rails console and run the following commands. Replace
<github_url>
with the URL of your GitHub Enterprise instance:uri = URI.parse("https://<github_url>") # replace `GitHub-URL` with the real one here http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true http.verify_mode = 1 response = http.request(Net::HTTP::Get.new(uri.request_uri))
-
If a similar
execution expired
error is returned, this confirms the error is caused by a connectivity issue. Make sure the GitLab server can reach your GitHub Enterprise instance.
Signing in using your GitHub account without a pre-existing GitLab account is not allowed
When you sign in to GitLab, you get the following error:
Signing in using your GitHub account without a pre-existing
GitLab account is not allowed. Create a GitLab account first,
and then connect it to your GitHub account
To fix this issue, you must activate GitHub sign-in in GitLab:
- On the top bar, in the upper-right corner, select your avatar.
- Select Edit profile.
- On the left sidebar, select Account.
- In the Service sign-in section, select Connect to GitHub.