Thoryn

App connectors · App connectors

GitLab — Thoryn as a generic OIDC provider

GitLab self-managed or SaaS Premium+ can use Thoryn as an OAuth2 / OIDC IdP via the omniauth_openid_connect strategy.

Tested against:hub: 1.0.0gitlab: 16.x

app-connectors recipe — shared category architecture: how this pattern composes with Hub, Broker, and the rest of the catalog

What you get

GitLab users authenticated via Thoryn. Works on GitLab self-managed (any tier) and GitLab.com Premium+. Auto-creates GitLab accounts on first login if you enable allow_single_sign_on.

Setup

1. In Thoryn

hub clients create \
  --name "GitLab" \
  --redirect-uri "https://gitlab.YOUR-DOMAIN.com/users/auth/openid_connect/callback" \
  --grant-types authorization_code,refresh_token \
  --scopes "openid email profile"

2. In GitLab

Edit gitlab.rb:

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
  {
    name: 'openid_connect',
    label: 'Thoryn',
    args: {
      name: 'openid_connect',
      scope: ['openid', 'profile', 'email'],
      response_type: 'code',
      issuer: 'https://hub.thoryn.org',
      discovery: true,
      client_auth_method: 'query',
      uid_field: 'preferred_username',
      client_options: {
        identifier: 'YOUR_CLIENT_ID',
        secret: 'YOUR_CLIENT_SECRET',
        redirect_uri: 'https://gitlab.YOUR-DOMAIN.com/users/auth/openid_connect/callback'
      }
    }
  }
]

Run gitlab-ctl reconfigure.

Caveats

  • GitLab.com Free doesn't support custom OIDC providers; needs Premium+.
  • uid_field: pick a stable claim — sub is safest if preferred_username can change.

See also

More app connectors