JetBrains Hub is an user management tool enabling single sign-on across all JetBrains web applications (like YouTrack or Upsource). But it also can work as a standalone oauth2/saml provider what brings to mind to use it as a central users repository for a number of different applications. Like for example GitLab. They provide oauth2 profile for GitLab to allow sign-in to Hub using GitLab credentials (GitLab acts as oauth2 provider) but we’d like to do something opposite - to use Hub working as oauth2 provider for GitLab, and to sign-in to GitLab with Hub credentials.
Assuming you have Hub at https://hub.mycompany.com
and GitLab at https://git.mycompany.com
, first you have to configure new GitLab service in Hub:
The important part is Redirect URI which should be set to /users/auth/oauth2_generic/callback
according to GitLab documentation. ID and Secret fields are randomly generated by Hub and I use $APP_ID
and $SECRET
placeholders instead.
Next step is to enable omniauth provider in GitLab, editing its configuration file gitlab.rb
(in docker distribution it’s located in /etc/gitlab
):
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic']
gitlab_rails['omniauth_block_auto_created_users'] = true
And yet next step is to provide detailed configuration to perform authorization by oauth2_generic
provider (in the same configuration file):
gitlab_rails['omniauth_providers'] = [
{
"name" => "oauth2_generic",
"app_id" => "$APP_ID",
"app_secret" => "$SECRET",
"args" => {
"client_options": {
"site" => "https://hub.mycompany.com",
"user_info_url" => "/hub/api/rest/users/me",
"authorize_url" => "/hub/api/rest/oauth2/auth?response_type=token&redirect_uri=https%3A%2F%2Fgit.mycompany.com&request_credentials=default&client_id=$APP_ID&scope=0-0-0-0-0",
"token_url" => "/hub/api/rest/oauth2/token"
},
user_response_structure: {
root_path: [],
attributes: { nickname: 'login', name: 'name' }
},
name => 'Hub',
strategy_class: "OmniAuth::Strategies::OAuth2Generic"
}
}
]
The structure above is documented in omniauth-oauth2-generic README and here is a little more light about the mysterious parameter values:
site
is of course the Hub URL.authorize_url
and token_url
are Hub oauth2 endpoints and all of authorize_url
parameters are described in Hub oauth2 implicit flow:response_type=token
is mandatory.redirect_uri=https://git.mycompany.com
is the URL where the auth process should make a redirect after authorization, however I didn’t dig a lot to check how it’s related to Redirect URI configured in Hub (and even if it’s required here).request_credentials=default
is described in documentation (if a user is already logged in to Hub, then authorize the user to the client service, if a user is not logged in to Hub, then navigate the user to the login form).client_id=$APP_ID
another parameter I didn’t check if is required here while it’s given few lines above, but I gave it.scope=0-0-0-0-0
here is the ID of service from Hub we request access to. If you look at Hub services config, you will find this as ID of Hub service, and to perform auth we just need access to this service.Some more explanation requires user_info_url
and user_response_structure
. After authorization GitLab wants to get the user data from oauth2 provider service in this format. But it also can get it in different format and then map it. To get the user info I use Hub Get me API method which for guest user returns following JSON:
{
"type": "user",
"id": "adc9041c-beed-489e-8bd3-051154e894fb",
"name": "guest",
"login": "guest",
"banned": true,
"guest": true
}
And then in user_response_structure
I map this JSON to omniauth JSON. To make it working you need at least to have login
field mapped to nickname
.
After configuring all this stuff you need to restart gitlab using:
gitlab-ctl reconfigure
And you can enjoy working Hub oauth2 provider on GitLab login screen:
git
command lineAlthough, oauth2 method will work only using GitLab web interface. If you additionally want to login to your GIT repositories with command line git
client (and you do), you have to enable Access token for your user in GitLab settings:
After access token generation you can login with git
client and https://
protocol with your username using access token as password.