Enabling logins with GitLab accounts


Debusine supports OpenID Connect authentication: these are the instructions for setting up authentication against a GitLab server.

Set up

Configure the provider in your Debusine instance

In your local settings:

from debusine.project.utils import read_secret_key
from debusine.server.signon import providers

    # Example using salsa.debian.org
        # Provider name to use in the Redirect URI
        # User-visible name
        # Optional icon (path under the static directory)
        # URL to the GitLab instance
        # OIDC parameters
        client_id="<to be filled with GitLab-provided Application ID>",
        scope=("openid", "profile", "email"),

# Auto-create a local user for remote accounts

# Auto-associate remote accounts to the current local user

Create /etc/debusine/gitlab-app-secret with the application secret provided by GitLab and make sure the file is only readable by the debusine-server user:

echo "<to be filled with Gitlab-provided Secret>" > /etc/debusine/gitlab-app-secret
chmod 0600 /etc/debusine/gitlab-app-secret
chown debusine-server:debusine-server /etc/debusine/gitlab-app-secret

Create the application in GitLab

  1. Go to your profile preferences, under “Applications”

  2. Create a new application:

    1. Tick “Confidential” checkbox

    2. Select scopes: “openid”, “profile”, “email”

    3. Redirect URI: https://your.debusine.server/accounts/accounts/oidc_callback/$PROVIDER_NAME (note that https is required, and this cannot be deployed over plain http)

    4. Copy the Application ID and the Secret to your Debusine local settings

Restart debusine

When everything is set up, restart debusine-server:

systemctl restart debusine-server

In the login page you should now see the option to log in using the provider you configured.

User mapping

When using SIGNON_AUTO_CREATE_USER, if you are not logged in and you log in with an external OIDC provider, a new user is created for you using your GitLab verified email.

If a local user exists using the same verified email, the external user is associated with the existing local one, and no new user is created.

When using SIGNON_AUTO_BIND, if you are logged in with an existing user and you log in again using an external OIDC provider, the external user is connected automatically with the current local one.