In this article, we outline which options should be configured in Kommander to instruct Dex to use the GitLab OAuth2 flow to identify the end user through their GitLab account.
The following options must be specified for the Dex apps in the Kommander 2.x configuration file:
- type: gitlab
baseURL: http(s)://<Gitlab URL>
clientID: <Client ID>
clientSecret: <Client Secret>
redirectURI: https://LB-Type Service IP Address/dex/callback
The clientID refers to Application ID in Gitlab, clientSecret maps to the application Secret in Gitlab. As to redirectURI, it is the location where the Gitlab identity platform redirects a user's client and sends security tokens after authentication. This parameter refers to the ip address of the metallb ip address, in case it is an on-premise DKP cluster, or the FQDN of the cloud Load Balancer, in case of a cluster deployed in a cloud provider. In any case, the following command can be used to get the endpoint:
To set an OAuth app in Gitlab, go to Admin Area/Applications, click on “New application” and provide and configure the required parameters, as shown in the picture below:
As mentioned in Dex documentation , the application requires the user to grant the read_user and openid scopes, scopes is required only if group membership is a desired claim.
Once the user clicks on “Save application”, it gets redirected to a page where it can obtain the clientID and create the secretID.
While setting Dex to use Gitlab as its upstream IdP provider, the most common issues encountered are:
1. The redirect uri included is not valid. To fix this, please make sure that the redirectURI is set to the
2. The requested scope is invalid, unknown, or malformed.This is because the scopes are not set correctly, please make sure read_user and openid are selected.
If after following the instructions in this article you’re still having issues, do not hesitate and open a support request with the D2iQ Support Team.