Use Google OAuth 2.0 as an OAuth 2.0 authentication provider

Tier: Free, Premium, Ultimate Offering: Self-managed

To enable the Google OAuth 2.0 OmniAuth provider you must register your application with Google. Google generates a client ID and secret key for you to use.

To enable Google OAuth, you must configure the:

  • Google Cloud Resource Manager
  • Google API Console
  • GitLab server

Configure the Google Cloud Resource Manager

  1. Go to the Google Cloud Resource Manager.
  2. Select CREATE PROJECT.
  3. In Project name, enter GitLab.
  4. In Project ID, Google provides a randomly generated project ID by default. You can use this randomly generated ID or create a new one. If you create a new ID, it must be unique to all Google Developer registered applications.

To see your new project in the list, refresh the page.

Configure the Google API Console

  1. Go to the Google API Console.
  2. In the upper-left corner, select your previously created project.
  3. Select OAuth consent screen and complete the fields.
  4. Select Credentials > Create credentials > OAuth client ID.
  5. Complete the fields:
    • Application type: Select Web application.
    • Name: Use the default name or enter your own.
    • Authorized JavaScript origins: Enter https://gitlab.example.com.
    • Authorized redirect URIs: Enter your domain name followed by the callback URIs one at a time:

      https://gitlab.example.com/users/auth/google_oauth2/callback
      https://gitlab.example.com/-/google_api/auth/callback
      
  6. You should see a client ID and client secret. Note them down or keep this page open as you need them later.
  7. To enable projects to access Google Kubernetes Engine, you must also enable the:
    • Google Kubernetes Engine API
    • Cloud Resource Manager API
    • Cloud Billing API

    To do so:

    1. Go to the Google API Console.
    2. Select ENABLE APIS AND SERVICES at the top of the page.
    3. Find each of the above APIs. On the page for the API, select ENABLE. It may take a few minutes for the API to be fully functional.

Configure the GitLab server

  1. Open the configuration file.

    For Linux package installations:

    sudo editor /etc/gitlab/gitlab.rb
    

    For self-compiled installations:

    cd /home/git/gitlab
    sudo -u git -H editor config/gitlab.yml
    
  2. Configure the common settings to add google_oauth2 as a single sign-on provider. This enables Just-In-Time account provisioning for users who do not have an existing GitLab account.
  3. Add the provider configuration.

    For Linux package installations:

    gitlab_rails['omniauth_providers'] = [
      {
        name: "google_oauth2",
        # label: "Provider name", # optional label for login button, defaults to "Google"
        app_id: "<YOUR_APP_ID>",
        app_secret: "<YOUR_APP_SECRET>",
        args: { access_type: "offline", approval_prompt: "" }
      }
    ]
    

    For self-compiled installations:

    - { name: 'google_oauth2',
        # label: 'Provider name', # optional label for login button, defaults to "Google"
        app_id: 'YOUR_APP_ID',
        app_secret: 'YOUR_APP_SECRET',
        args: { access_type: 'offline', approval_prompt: '' } }
    
  4. Replace <YOUR_APP_ID> with the client ID from the Google Developer page.
  5. Replace <YOUR_APP_SECRET> with the client secret from the Google Developer page.
  6. Make sure that you configure GitLab to use a fully-qualified domain name, as Google doesn’t accept raw IP addresses.

    For Linux package installations:

    external_url 'https://gitlab.example.com'
    

    For self-compiled installations:

    gitlab:
      host: https://gitlab.example.com
    
  7. Save the configuration file.
  8. For the changes to take effect:

On the sign in page there should now be a Google icon below the regular sign in form. Select the icon to begin the authentication process. Google asks the user to sign in and authorize the GitLab application. If everything goes well the user is returned to GitLab and is signed in.