Skip to main content

Configure GitLab as an OAuth authentication identity provider in Kommander 2.x

Sadiel Ortega
  • Updated

In this article, we outline which options should be configured in Kommander to instruct Dex to use the GitLab OAuth2 flow to identify the end user through their GitLab account.

Solution

The following options must be specified for the Dex apps in the Kommander 2.x configuration file:

apiVersion: config.kommander.mesosphere.io/v1alpha1
kind: Installation
apps:
  dex:
    values: |
      config:
        connectors:
        - type: gitlab
          id: gitlab
          name: Gitlab
          config:
            baseURL: http(s)://<Gitlab URL>
            clientID: <Client ID>
            clientSecret: <Client Secret>
            redirectURI: https://LB-Type Service IP Address/dex/callback

The clientID refers to Application ID in Gitlab, clientSecret maps to the application Secret in Gitlab. As to redirectURI, it is the location where the Gitlab identity platform redirects a user's client and sends security tokens after authentication. This parameter refers to the ip address of the metallb ip address, in case it is an on-premise DKP cluster, or the FQDN of the cloud Load Balancer, in case of a cluster deployed in a cloud provider. In any case, the following command can be used to get the endpoint:

kubectl get svc -n kommander kommander-traefik

To set an OAuth app in Gitlab, go to Admin Area/Applications, click on “New application” and provide and configure the required parameters, as shown in the picture below:

dex_gitlab_2.png

As mentioned in Dex documentation [1], the application requires the user to grant the read_user and openid scopes, scopes is required only if group membership is a desired claim.

Once the user clicks on “Save application”, it gets redirected to a page where it can obtain the clientID and create the secretID. 

dex_gitlab_1.png

While setting Dex to use Gitlab as its upstream IdP provider, the most common issues encountered are:

1. The redirect uri included is not valid. To fix this, please make sure that the redirectURI is set to the

2. The requested scope is invalid, unknown, or malformed.This is because the scopes are not set correctly, please make sure read_user and openid are selected. 


References:
[1] https://dexidp.io/docs/connectors/gitlab/