Enabling logins with GitLab accounts
Debusine supports OpenID Connect authentication: these are the instructions for setting up authentication against a GitLab server.
Configure the provider in your Debusine instance
In your local settings:
from debusine.project.utils import read_secret_key from debusine.server.signon import providers SIGNON_PROVIDERS = [ # Example using salsa.debian.org providers.GitlabProvider( # Provider name to use in the Redirect URI name="salsa", # User-visible name label="Salsa", # Optional icon (path under the static directory) icon="signon/gitlabian.svg", # URL to the GitLab instance url="https://salsa.debian.org", # OIDC parameters client_id="<to be filled with GitLab-provided Application ID>", client_secret=read_secret_key("/etc/debusine/gitlab-app-secret"), scope=("openid", "profile", "email"), ), ] # Auto-create a local user for remote accounts SIGNON_AUTO_CREATE_USER = True # Auto-associate remote accounts to the current local user SIGNON_AUTO_BIND = True
/etc/debusine/gitlab-app-secret with the application secret provided
by GitLab and make sure the file is only readable by the
echo "<to be filled with Gitlab-provided Secret>" > /etc/debusine/gitlab-app-secret chmod 0600 /etc/debusine/gitlab-app-secret chown debusine-server:debusine-server /etc/debusine/gitlab-app-secret
Create the application in GitLab
Go to your profile preferences, under “Applications”
Create a new application:
Tick “Confidential” checkbox
Select scopes: “openid”, “profile”, “email”
https://your.debusine.server/accounts/accounts/oidc_callback/$PROVIDER_NAME(note that https is required, and this cannot be deployed over plain http)
Copy the Application ID and the Secret to your Debusine local settings
When everything is set up, restart
systemctl restart debusine-server
In the login page you should now see the option to log in using the provider you configured.
SIGNON_AUTO_CREATE_USER, if you are not logged in and you log in
with an external OIDC provider, a new user is created for you using your GitLab
If a local user exists using the same verified email, the external user is associated with the existing local one, and no new user is created.
SIGNON_AUTO_BIND, if you are logged in with an existing user and
you log in again using an external OIDC provider, the external user is
connected automatically with the current local one.