When logged into gitlab using the oauth2 provider keycloak and trying to log out, Gitlab redirects to the sign_in page, but doesn't end out session on Keycloak, so we are logged in again.
These are the environment variables used in gitlab kubernetes deployment:
- name: OAUTH2_GENERIC_APP_ID
value: <client-name>
- name: OAUTH2_GENERIC_APP_SECRET
value: "<client-secret>"
- name: OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL
value: "https://<keycloak-url>/auth/realms/<realm-name>/protocol/openid-connect/auth"
- name: OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT
value: "https://<keycloak-url>/auth/realms/<realm-name>/protocol/openid-connect/logout"
- name: OAUTH2_GENERIC_CLIENT_SITE
value: "https://<keycloak-url>/auth/realms/<realm-name>"
- name: OAUTH2_GENERIC_CLIENT_TOKEN_URL
value: "https://<keycloak-url>/auth/realms/<realm-name>/protocol/openid-connect/token"
- name: OAUTH2_GENERIC_CLIENT_USER_INFO_URL
value: "https://<keycloak-url>/auth/realms/<realm-name>/protocol/openid-connect/userinfo"
- name: OAUTH2_GENERIC_ID_PATH
value: sub
- name: OAUTH2_GENERIC_NAME
value: Keycloak
- name: OAUTH2_GENERIC_USER_EMAIL
value: email
- name: OAUTH2_GENERIC_USER_NAME
value: preferred_username
- name: OAUTH2_GENERIC_USER_UID
value: sub
- name: OAUTH_ALLOW_SSO
value: Keycloak
- name: OAUTH_AUTO_LINK_LDAP_USER
value: "false"
- name: OAUTH_AUTO_LINK_SAML_USER
value: "false"
- name: OAUTH_AUTO_SIGN_IN_WITH_PROVIDER
value: Keycloak
- name: OAUTH_BLOCK_AUTO_CREATED_USERS
value: "false"
- name: OAUTH_ENABLED
value: "true"
- name: OAUTH_EXTERNAL_PROVIDERS
value: Keycloak
I have tried a workaround mentioned here: https://gitlab.com/gitlab-org/gitlab/-/issues/31203 , but no luck. Please help.
Note:
Gitlab version: 14.9.2
Keycloak version: 17
Kubernetes Version: 1.21.5
CodePudding user response:
To be perfectly clear: the expectation is that you should be signed out of GitLabn, not necessarily keycloak altogether. This is happening correctly since you see the sign-in page after signing out. For example, if you sign into GitLab using Google and sign out of GitLab, you should only be signed out of GitLab, not Google.
The behavior you are observing is due to the fact that you have auto-login (auto_sign_in_with_provider
) enabled, which automatically redirects users from the sign-in page to login again with keycloak (again) immediately after (successfully) signing out.
To avoid this problem, in the GitLab settings (under Admin -> Settings -> General -> Sign-in Restrictions) set the After sign-out path to be /users/sign_in?auto_sign_in=false
or in other words https://gitlab.example.com/users/sign_in?auto_sign_in=false
Note the query string ?auto_sign_in=false
will prevent the auto-redirect to sign back into keycloak. You can also choose a different URL entirely.
See sign-in information and sign in with provider automatically for more information.