texousliu/keyfil
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[2025-01-08] 修改Gitlab SSO接入方式
All checks were successful
Publish to Confluence / confluence (push) Successful in 1m37s
Details

Browse Source
This commit is contained in:
liuxiaohua 2025-01-08 12:32:45 +08:00
parent c580ff5f8c
commit 77702455a7
2 changed files with 31 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
任务/周报.md
View File

@ -1,9 +1,10 @@
## 20250106 - 20250110 ## 20250106 - 20250110
- [X] Yearning SSO接入 - [X] [Yearning SSO接入](http://confluence.qifu.com/pages/viewpage.action?pageId=38508162)
- [X] [Gitlab SSO接入](http://confluence.qifu.com/pages/viewpage.action?pageId=38508192)
- [ ] K8s健康检查接口集成。 - [ ] K8s健康检查接口集成。
- [ ] 集简云对接(需要付费后才能介入) - [ ] 集简云对接(需要付费后才能介入)
- 基础架子搭建 - [X] 基础架子搭建
- 接口对接 - [ ] 接口对接
## 20241230 - 20250103 ## 20241230 - 20250103

47
教程/20250108-Gitlab安装及SSO接入指南.md
View File

@ -56,13 +56,14 @@ services:
shm_size: '256m' shm_size: '256m'
``` ```
- 默认账号:`root` - 默认账号:`root`
- 默认密码:在 `$GITLAB_HOME/config/initial_root_password` - 默认密码:在 `$GITLAB_HOME/config/initial_root_password`
### Yearning OIDC 配置 ### Yearning Generic OAuth2 配置
- 由于 Gitlab `OIDC` 必须要使用 `https`,所以采用 `Generic OAuth2` 进行SSO
- 可以参考https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak - 可以参考https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak
- **注意:** Gitlab 整合 OIDCIdentity Provider 必须要用 `https`
#### 修改配置文件Keycloak示例 #### 修改配置文件Keycloak示例
@ -70,27 +71,33 @@ services:
```shell ```shell
gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect'] gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic']
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect' gitlab_rails['omniauth_auto_link_user'] = ['oauth2_generic']
gitlab_rails['omniauth_auto_link_user'] = ['openid_connect']
gitlab_rails['omniauth_providers'] = [ gitlab_rails['omniauth_providers'] = [
{ {
name: "openid_connect", #- do not change this parameter name: "oauth2_generic",
label: "Keycloak", #- optional label for login button, defaults to "Openid Connect" label: "企业微信", # optional label for login button, defaults to "Oauth2 Generic"
app_id: "gitlab",
app_secret: "lGHpprHWcG3mgsQpPMtUsC4NeOqf8Izi",
args: { args: {
name: "openid_connect",
scope: ["openid", "profile", "email"],
response_type: "code",
issuer: "https://keycloak.example.com/realms/myrealm",
client_auth_method: "query",
discovery: true,
uid_field: "preferred_username",
pkce: true,
client_options: { client_options: {
identifier: "<YOUR CLIENT ID>", site: "http://keycloak.qifu.com/realms/keyfil/protocol/openid-connect/",
secret: "<YOUR CLIENT SECRET>", user_info_url: "userinfo",
redirect_uri: "https://gitlab.example.com/users/auth/openid_connect/callback" authorize_url: "auth",
} token_url: "token"
},
user_response_structure: {
root_path: [],
id_path: ["preferred_username"],
attributes: {
email: "email",
name: "name"
}
},
authorize_params: {
scope: "openid profile email"
},
strategy_class: "OmniAuth::Strategies::OAuth2Generic"
} }
} }
] ]
@ -100,4 +107,4 @@ gitlab_rails['omniauth_providers'] = [
- [Gitlab OIDC](https://docs.gitlab.com/ee/administration/auth/oidc.html) - [Gitlab OIDC](https://docs.gitlab.com/ee/administration/auth/oidc.html)
- [Gitlab OIDC 整合 Keycloak](https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak) - [Gitlab OIDC 整合 Keycloak](https://docs.gitlab.com/ee/administration/auth/oidc.html#configure-keycloak)
- [Gitlab Generic OAuth2](https://docs.gitlab.com/ee/integration/oauth2_generic.html)