✨ [2025-01-08] 修改Gitlab SSO接入方式

2025-01-08 12:32:45 +08:00 · 2025-01-08 12:32:45 +08:00 · 77702455a7
commit 77702455a7
parent c580ff5f8c
2 changed files with 31 additions and 23 deletions
--- a/任务/周报.md
+++ b/任务/周报.md
@ -1,9 +1,10 @@
 ## 20250106 - 20250110
- [X] Yearning SSO接入
+- [X] [Yearning SSO接入](http://confluence.qifu.com/pages/viewpage.action?pageId=38508162)
+- [X] [Gitlab SSO接入](http://confluence.qifu.com/pages/viewpage.action?pageId=38508192)
 - [ ] K8s健康检查接口集成。
 - [ ] 集简云对接（需要付费后才能介入）
-  - 基础架子搭建
-  - 接口对接
+  - [X] 基础架子搭建
+  - [ ] 接口对接

 ## 20241230 - 20250103

--- a/教程/20250108-Gitlab安装及SSO接入指南.md
+++ b/教程/20250108-Gitlab安装及SSO接入指南.md
@ -56,13 +56,14 @@ services:
    shm_size: '256m'

 ```
+
 - 默认账号：`root`
 - 默认密码：在 `$GITLAB_HOME/config/initial_root_password`

-### Yearning OIDC 配置
+### Yearning Generic OAuth2 配置

+- 由于 Gitlab `OIDC` 必须要使用 `https`，所以采用 `Generic OAuth2` 进行SSO
 - 可以参考：https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak
- **注意：** Gitlab 整合 OIDC，Identity Provider 必须要用 `https`

 #### 修改配置文件（Keycloak示例）

@ -70,27 +71,33 @@ services:

 ```shell
 gitlab_rails['omniauth_enabled'] = true
-gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
-gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
-gitlab_rails['omniauth_auto_link_user'] = ['openid_connect']
+gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic']
+gitlab_rails['omniauth_auto_link_user'] = ['oauth2_generic']
 gitlab_rails['omniauth_providers'] = [
  {
-    name: "openid_connect", #- do not change this parameter
-    label: "Keycloak", #- optional label for login button, defaults to "Openid Connect"
+    name: "oauth2_generic",
+    label: "企业微信", # optional label for login button, defaults to "Oauth2 Generic"
+    app_id: "gitlab",
+    app_secret: "lGHpprHWcG3mgsQpPMtUsC4NeOqf8Izi",
    args: {
-      name: "openid_connect",
-      scope: ["openid", "profile", "email"],
-      response_type: "code",
-      issuer:  "https://keycloak.example.com/realms/myrealm",
-      client_auth_method: "query",
-      discovery: true,
-      uid_field: "preferred_username",
-      pkce: true,
      client_options: {
-        identifier: "<YOUR CLIENT ID>",
-        secret: "<YOUR CLIENT SECRET>",
-        redirect_uri: "https://gitlab.example.com/users/auth/openid_connect/callback"
-      }
+        site: "http://keycloak.qifu.com/realms/keyfil/protocol/openid-connect/",
+        user_info_url: "userinfo",
+        authorize_url: "auth",
+        token_url: "token"
+      },
+      user_response_structure: {
+        root_path: [],
+        id_path: ["preferred_username"],
+        attributes: {
+          email: "email",
+          name: "name"
+        }
+      },
+      authorize_params: {
+        scope: "openid profile email"
+      },
+      strategy_class: "OmniAuth::Strategies::OAuth2Generic"
    }
  }
 ]
@ -100,4 +107,4 @@ gitlab_rails['omniauth_providers'] = [

 - [Gitlab OIDC](https://docs.gitlab.com/ee/administration/auth/oidc.html)
 - [Gitlab OIDC 整合 Keycloak](https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak)
-
+- [Gitlab Generic OAuth2](https://docs.gitlab.com/ee/integration/oauth2_generic.html)