Home > front end >  Sign out fails for Gitlab integrated with Keycloak OIDC
Sign out fails for Gitlab integrated with Keycloak OIDC

Time:04-09

When logged into gitlab using the oauth2 provider keycloak and trying to log out, Gitlab redirects to the sign_in page, but doesn't end out session on Keycloak, so we are logged in again.

These are the environment variables used in gitlab kubernetes deployment:

- name: OAUTH2_GENERIC_APP_ID
  value: <client-name>
- name: OAUTH2_GENERIC_APP_SECRET
  value: "<client-secret>"
- name: OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL
  value: "https://<keycloak-url>/auth/realms/<realm-name>/protocol/openid-connect/auth"
- name: OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT
  value: "https://<keycloak-url>/auth/realms/<realm-name>/protocol/openid-connect/logout"
- name: OAUTH2_GENERIC_CLIENT_SITE
  value: "https://<keycloak-url>/auth/realms/<realm-name>"
- name: OAUTH2_GENERIC_CLIENT_TOKEN_URL
  value: "https://<keycloak-url>/auth/realms/<realm-name>/protocol/openid-connect/token"
- name: OAUTH2_GENERIC_CLIENT_USER_INFO_URL
  value: "https://<keycloak-url>/auth/realms/<realm-name>/protocol/openid-connect/userinfo"
- name: OAUTH2_GENERIC_ID_PATH
  value: sub
- name: OAUTH2_GENERIC_NAME
  value: Keycloak
- name: OAUTH2_GENERIC_USER_EMAIL
  value: email
- name: OAUTH2_GENERIC_USER_NAME
  value: preferred_username
- name: OAUTH2_GENERIC_USER_UID
  value: sub

- name: OAUTH_ALLOW_SSO
  value: Keycloak
- name: OAUTH_AUTO_LINK_LDAP_USER
  value: "false"
- name: OAUTH_AUTO_LINK_SAML_USER
  value: "false"
- name: OAUTH_AUTO_SIGN_IN_WITH_PROVIDER
  value: Keycloak
- name: OAUTH_BLOCK_AUTO_CREATED_USERS
  value: "false"
- name: OAUTH_ENABLED
  value: "true"
- name: OAUTH_EXTERNAL_PROVIDERS
  value: Keycloak

I have tried a workaround mentioned here: https://gitlab.com/gitlab-org/gitlab/-/issues/31203 , but no luck. Please help.

Note:

Gitlab version: 14.9.2
Keycloak version: 17
Kubernetes Version: 1.21.5

CodePudding user response:

To be perfectly clear: the expectation is that you should be signed out of GitLabn, not necessarily keycloak altogether. This is happening correctly since you see the sign-in page after signing out. For example, if you sign into GitLab using Google and sign out of GitLab, you should only be signed out of GitLab, not Google.

The behavior you are observing is due to the fact that you have auto-login (auto_sign_in_with_provider) enabled, which automatically redirects users from the sign-in page to login again with keycloak (again) immediately after (successfully) signing out.

To avoid this problem, in the GitLab settings (under Admin -> Settings -> General -> Sign-in Restrictions) set the After sign-out path to be /users/sign_in?auto_sign_in=false or in other words https://gitlab.example.com/users/sign_in?auto_sign_in=false
Note the query string ?auto_sign_in=false will prevent the auto-redirect to sign back into keycloak. You can also choose a different URL entirely.

See sign-in information and sign in with provider automatically for more information.

Page link:https//www.codepudding.com/frontend/365249.html

Prev:How to get the list of pods with container name for pods that have restarted
Next:airflow on kubernetes: how to load dag files from local filesystem?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding