From 77702455a77a3898ec4343f966147944881d8683 Mon Sep 17 00:00:00 2001
From: liuxiaohua <texousliu@foxmail.com>
Date: Wed, 8 Jan 2025 12:32:45 +0800
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20[2025-01-08]=20=E4=BF=AE=E6=94=B9Gi?=
 =?UTF-8?q?tlab=20SSO=E6=8E=A5=E5=85=A5=E6=96=B9=E5=BC=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 任务/周报.md                             |  7 ++--
 教程/20250108-Gitlab安装及SSO接入指南.md | 47 ++++++++++++++----------
 2 files changed, 31 insertions(+), 23 deletions(-)

diff --git a/任务/周报.md b/任务/周报.md
index dfe85cf..93d415b 100644
--- a/任务/周报.md
+++ b/任务/周报.md
@@ -1,9 +1,10 @@
 ## 20250106 - 20250110
-- [X] Yearning SSO接入
+- [X] [Yearning SSO接入](http://confluence.qifu.com/pages/viewpage.action?pageId=38508162)
+- [X] [Gitlab SSO接入](http://confluence.qifu.com/pages/viewpage.action?pageId=38508192)
 - [ ] K8s健康检查接口集成。
 - [ ] 集简云对接（需要付费后才能介入）
-  - 基础架子搭建
-  - 接口对接
+  - [X] 基础架子搭建
+  - [ ] 接口对接
 
 ## 20241230 - 20250103
 
diff --git a/教程/20250108-Gitlab安装及SSO接入指南.md b/教程/20250108-Gitlab安装及SSO接入指南.md
index 77b0663..3b92a6b 100644
--- a/教程/20250108-Gitlab安装及SSO接入指南.md
+++ b/教程/20250108-Gitlab安装及SSO接入指南.md
@@ -56,13 +56,14 @@ services:
     shm_size: '256m'
 
 ```
+
 - 默认账号：`root`
 - 默认密码：在 `$GITLAB_HOME/config/initial_root_password`
 
-### Yearning OIDC 配置
+### Yearning Generic OAuth2 配置
 
+- 由于 Gitlab `OIDC` 必须要使用 `https`，所以采用 `Generic OAuth2` 进行SSO
 - 可以参考：https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak
-- **注意：** Gitlab 整合 OIDC，Identity Provider 必须要用 `https`
 
 #### 修改配置文件（Keycloak示例）
 
@@ -70,27 +71,33 @@ services:
 
 ```shell
 gitlab_rails['omniauth_enabled'] = true
-gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
-gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
-gitlab_rails['omniauth_auto_link_user'] = ['openid_connect']
+gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic']
+gitlab_rails['omniauth_auto_link_user'] = ['oauth2_generic']
 gitlab_rails['omniauth_providers'] = [
   {
-    name: "openid_connect", #- do not change this parameter
-    label: "Keycloak", #- optional label for login button, defaults to "Openid Connect"
+    name: "oauth2_generic",
+    label: "企业微信", # optional label for login button, defaults to "Oauth2 Generic"
+    app_id: "gitlab",
+    app_secret: "lGHpprHWcG3mgsQpPMtUsC4NeOqf8Izi",
     args: {
-      name: "openid_connect",
-      scope: ["openid", "profile", "email"],
-      response_type: "code",
-      issuer:  "https://keycloak.example.com/realms/myrealm",
-      client_auth_method: "query",
-      discovery: true,
-      uid_field: "preferred_username",
-      pkce: true,
       client_options: {
-        identifier: "<YOUR CLIENT ID>",
-        secret: "<YOUR CLIENT SECRET>",
-        redirect_uri: "https://gitlab.example.com/users/auth/openid_connect/callback"
-      }
+        site: "http://keycloak.qifu.com/realms/keyfil/protocol/openid-connect/",
+        user_info_url: "userinfo",
+        authorize_url: "auth",
+        token_url: "token"
+      },
+      user_response_structure: {
+        root_path: [],
+        id_path: ["preferred_username"],
+        attributes: {
+          email: "email",
+          name: "name"
+        }
+      },
+      authorize_params: {
+        scope: "openid profile email"
+      },
+      strategy_class: "OmniAuth::Strategies::OAuth2Generic"
     }
   }
 ]
@@ -100,4 +107,4 @@ gitlab_rails['omniauth_providers'] = [
 
 - [Gitlab OIDC](https://docs.gitlab.com/ee/administration/auth/oidc.html)
 - [Gitlab OIDC 整合 Keycloak](https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak)
-
+- [Gitlab Generic OAuth2](https://docs.gitlab.com/ee/integration/oauth2_generic.html)