Use Google OAuth 2.0 as an OAuth 2.0 authentication provider
DETAILS: Tier: Free, Premium, Ultimate Offering: Self-managed
To enable the Google OAuth 2.0 OmniAuth provider you must register your application with Google. Google generates a client ID and secret key for you to use.
To enable Google OAuth, you must configure the:
- Google Cloud Resource Manager
- Google API Console
- GitLab server
Configure the Google Cloud Resource Manager
- Go to the Google Cloud Resource Manager.
- Select CREATE PROJECT.
- In Project name, enter
GitLab. - In Project ID, Google provides a randomly generated project ID by default. You can use this randomly generated ID or create a new one. If you create a new ID, it must be unique to all Google Developer registered applications.
To see your new project in the list, refresh the page.
Configure the Google API Console
-
Go to the Google API Console.
-
In the upper-left corner, select your previously created project.
-
Select OAuth consent screen and complete the fields.
-
Select Credentials > Create credentials > OAuth client ID.
-
Complete the fields:
-
Application type: Select Web application.
-
Name: Use the default name or enter your own.
-
Authorized JavaScript origins: Enter
https://gitlab.example.com. -
Authorized redirect URIs: Enter your domain name followed by the callback URIs one at a time:
https://gitlab.example.com/users/auth/google_oauth2/callback https://gitlab.example.com/-/google_api/auth/callback
-
-
You should see a client ID and client secret. Note them down or keep this page open as you need them later.
-
To enable projects to access Google Kubernetes Engine, you must also enable the:
- Google Kubernetes Engine API
- Cloud Resource Manager API
- Cloud Billing API
To do so:
- Go to the Google API Console.
- Select ENABLE APIS AND SERVICES at the top of the page.
- Find each of the above APIs. On the page for the API, select ENABLE. It may take a few minutes for the API to be fully functional.
Configure the GitLab server
-
Open the configuration file.
For Linux package installations:
sudo editor /etc/gitlab/gitlab.rbFor self-compiled installations:
cd /home/git/gitlab sudo -u git -H editor config/gitlab.yml -
Configure the common settings to add
google_oauth2as a single sign-on provider. This enables Just-In-Time account provisioning for users who do not have an existing GitLab account. -
Add the provider configuration.
For Linux package installations:
gitlab_rails['omniauth_providers'] = [ { name: "google_oauth2", # label: "Provider name", # optional label for login button, defaults to "Google" app_id: "<YOUR_APP_ID>", app_secret: "<YOUR_APP_SECRET>", args: { access_type: "offline", approval_prompt: "" } } ]For self-compiled installations:
- { name: 'google_oauth2', # label: 'Provider name', # optional label for login button, defaults to "Google" app_id: 'YOUR_APP_ID', app_secret: 'YOUR_APP_SECRET', args: { access_type: 'offline', approval_prompt: '' } } -
Replace
<YOUR_APP_ID>with the client ID from the Google Developer page. -
Replace
<YOUR_APP_SECRET>with the client secret from the Google Developer page. -
Make sure that you configure GitLab to use a fully-qualified domain name, as Google doesn't accept raw IP addresses.
For Linux package installations:
external_url 'https://gitlab.example.com'For self-compiled installations:
gitlab: host: https://gitlab.example.com -
Save the configuration file.
-
For the changes to take effect:
- If you installed using the Linux package, reconfigure GitLab.
- If you self-compiled your installation, restart GitLab.
On the sign in page there should now be a Google icon below the regular sign in form. Select the icon to begin the authentication process. Google asks the user to sign in and authorize the GitLab application. If everything goes well the user is returned to GitLab and is signed in.