Skip to content

Openid_connect undefined method

Summary

I have tried to set up SSO in Gitlab using the openid_connect omniauth setup, described in your docs. However, when trying to log in, the callback phase fails with the output:

[Note: changed slightly]
Could not authenticate you from OpenIDConnect because "Undefined method `with indifferent access' for "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6IjFMNVpoLVJ0NDZjSHVJVVNjMjRRakdibGhkTWpVMXV2SUowZUZSVjJSdWMifQ.eyJzdWIiOiIzNWQxNGJhNy1kNTJhLTRkNTUtYWJiNy0zMTFiNTYxNzI0MTgiLCJhdWQiOiJnaXRsYWJfc3NvX2NsaWVudCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoiQ2hyaXN0aWFuIE15IE5hbWUiLCJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20vcmVhbG1zL0V4YW1wbGUtU2VydmljZXMiLCJncm91cHMiOlsiZGVmYXVsdC1yb2xlcy1leGFtcGxlLXNlcnZpY2VzIiwib2ZmbGluZV9hY2Nlc3MiLCJncmFmYW5hX2FkbWluIiwidW1hX2F1dGhvcml6YXRpb24iLCJ0cmFlZmlrX2Rhc2giXSwicHJlZmVycmVkX3VzZXJuYW1lIjoiY3BqQGV4YW1wbGUuY29tIiwiZ2l2ZW5fbmFtZSI6IkNocmlzdGlhbiBNeSIsImZhbWlseV9uYW1lIjoiTmFtZSIsImVtYWlsIjoiY3BqQGV4YW1wbGUuY29tIn0.y6Ohl2yoOM8gS4HF1kpMPVTAka8dS86VKbsBLCo5sGmNyN9iyoiCgdUx7gAEuilJP6T8TL-bMpLZVHkbvHoIK80fXz70EDRsl8TJQzjKxCG9VJDuxmH9Ld7RmGxDAZ2rJNkZ2URk6-KfAVWYMOX0fBebXgkzNH2WgFRrzuG4S6ZArnvBDcmsZq70vAZlMG_XJvxFylw-6DDFaWy2GzSX1s9HrXuIj0ddSB-O_hIb_3ub_t7VG0JFBB-HxD-iH8QudCTfSOAJlJusr0zNpQDZD497rxWbsv975i68XERKIZQwrN0kBewG9JJXTYfeMe5j21Bbde4ZNQAF7eg21IG3KA":String NoMethodError [repeats]

The authentication is correct from Keycloaks point of view, and the string is a correct Json Web Token, with correct fields and userinfo. It is very much what i would expect Gitlab to use for authentication, however instead it just throws the Undefined method exception.

Steps to reproduce

  • Gitlab running in docker, port 443 and 80 exposed to the net.
  • Keycloak running in docker, behind reverse proxy

I use the following gitlab.rb configuration:

gitlab_rails['omniauth_providers'] = [{
  name: "openid_connect",
  label: "Keycloak",
  args: { 
    name: "openid_connect",
    uid_field: "sub",
    scope: ["openid"],
    response_type: "code",
    issuer:  "https://auth.example.com/realms/Example-Services",
    client_auth_method: "query",
    discovery: true,
    pkce: true,
    client_options: {
      identifier: "gitlab_sso_client",
      secret: "eMjVID275Tkxr2TWrSCHDKNjDdnempQv",
      redirect_uri: "https://git.example.com/users/auth/openid_connect/callback"
    }
  } 
}]

What is the current bug behavior?

See error message above

What is the expected correct behavior?

A sign-up page or a logged-in user

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 
System information
System:
Proxy:          no
Current User:   git
Using RVM:      no
Ruby Version:   3.2.5
Gem Version:    3.6.3
Bundler Version:2.5.11
Rake Version:   13.0.6
Redis Version:  7.0.15
Sidekiq Version:7.2.4
Go Version:     unknown


GitLab information
Version:        17.9.2-ee
Revision:       56dedd4cf9e
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     14.17
URL:            https://git.example.com
HTTP Clone URL: https://git.example.com/some-group/some-project.git
SSH Clone URL:  [email protected]:some-group/some-project.git
Elasticsearch:  no
Geo:            no
Using LDAP:     no
Using Omniauth: yes
Omniauth Providers: openid_connect, oauth2_generic

GitLab Shell
Version:        14.40.0
Repository storages:
- default:      unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell

Gitaly
- default Address:      unix:/var/opt/gitlab/gitaly/gitaly.socket
- default Version:      17.9.2
- default Git Version:  2.47.2

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...

Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 14.40.0 ? ... OK (14.40.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Checking Reply by email ...


Mailroom enabled? ... skipped
MailRoom running? ... skipped


Checking Reply by email ... Finished


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab App ...


Database config exists? ... yes
Tables are truncated? ... skipped
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Cable config exists? ... yes
Resque config exists? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet)
Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Projects have namespace: ... can't check, you have no projects
Redis version >= 6.2.14? ... yes
Ruby version >= 3.0.6 ? ... yes (3.2.5)
Git user has default SSH configuration? ... yes
Active users: ... 1
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... skipped (Advanced Search is disabled)
All migrations must be finished before doing a major upgrade ... skipped (Advanced Search is disabled)


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished

Possible fixes

Using oauth2_generic works as expected.

OSZAR »