GitLab 配置基于 OIDC 身份验证失败: TypeError, no implicit conversion of nil into String
Summary
配置 Casdoor 集成时报错下:
/var/log/gitlab/gitlab-rails/application_json.log:{"severity":"DEBUG","time":"2023-08-30T01:34:29.223Z","correlation_id":"01H9217SAXTPJW3YY5F4QFJ1BT","message":"(openid_connect) Request phase initiated."}
/var/log/gitlab/gitlab-rails/application_json.log:{"severity":"ERROR","time":"2023-08-30T01:34:29.224Z","correlation_id":"01H9217SAXTPJW3YY5F4QFJ1BT","message":"(openid_connect) Authentication failure! no implicit conversion of nil into String: TypeError, no implicit conversion of nil into String"}
/var/log/gitlab/gitlab-rails/production_json.log:{"method":"POST","path":"/users/auth/openid_connect","format":"html","controller":"OmniauthCallbacksController","action":"failure","status":302,"location":"https://gitlab.example.cn/users/sign_in","time":"2023-08-30T01:34:29.244Z","params":[{"key":"authenticity_token","value":"[FILTERED]"}],"correlation_id":"01H9217SAXTPJW3YY5F4QFJ1BT","meta.caller_id":"OmniauthCallbacksController#failure","meta.remote_ip":"xx.xx.xx.xx","meta.feature_category":"system_access","meta.client_id":"ip/xx.xx.xx.xx","remote_ip":"xx.xx.xx.xx","ua":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0","queue_duration_s":0.007059,"response_bytes":103,"request_urgency":"default","target_duration_s":1,"redis_calls":11,"redis_duration_s":0.002271,"redis_read_bytes":2437,"redis_write_bytes":621,"redis_feature_flag_calls":10,"redis_feature_flag_duration_s":0.001803,"redis_feature_flag_read_bytes":2364,"redis_feature_flag_write_bytes":536,"redis_sessions_calls":1,"redis_sessions_duration_s":0.000468,"redis_sessions_read_bytes":73,"redis_sessions_write_bytes":85,"db_count":0,"db_write_count":0,"db_cached_count":0,"db_replica_count":0,"db_primary_count":0,"db_main_count":0,"db_ci_count":0,"db_main_replica_count":0,"db_ci_replica_count":0,"db_replica_cached_count":0,"db_primary_cached_count":0,"db_main_cached_count":0,"db_ci_cached_count":0,"db_main_replica_cached_count":0,"db_ci_replica_cached_count":0,"db_replica_wal_count":0,"db_primary_wal_count":0,"db_main_wal_count":0,"db_ci_wal_count":0,"db_main_replica_wal_count":0,"db_ci_replica_wal_count":0,"db_replica_wal_cached_count":0,"db_primary_wal_cached_count":0,"db_main_wal_cached_count":0,"db_ci_wal_cached_count":0,"db_main_replica_wal_cached_count":0,"db_ci_replica_wal_cached_count":0,"db_replica_duration_s":0.0,"db_primary_duration_s":0.0,"db_main_duration_s":0.0,"db_ci_duration_s":0.0,"db_main_replica_duration_s":0.0,"db_ci_replica_duration_s":0.0,"cpu_s":0.02885,"mem_objects":17126,"mem_bytes":3353184,"mem_mallocs":6436,"mem_total_bytes":4038224,"pid":7919,"worker_id":"puma_7","rate_limiting_gates":[],"db_duration_s":0.0,"view_duration_s":0.0,"duration_s":0.01935}
/var/log/gitlab/gitlab-workhorse/current:{"content_type":"text/html; charset=utf-8","correlation_id":"01H9217SAXTPJW3YY5F4QFJ1BT","duration_ms":33,"host":"gitlab.example.cn","level":"info","method":"POST","msg":"access","proto":"HTTP/1.1","referrer":"https://gitlab.example.cn/users/sign_in","remote_addr":"xx.xx.xx.xx:0","remote_ip":"xx.xx.xx.xx","route":"","status":302,"system":"http","time":"2023-08-30T09:34:29+08:00","ttfb_ms":33,"uri":"/users/auth/openid_connect","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0","written_bytes":103}Steps to reproduce
- 创建 casdoor 容器
docker run -d --name casdoor --hostname casdoor --restart=always -p 8000:8000 casbin/casdoor-all-in-one- 配置 https
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend casdoor-https-in
bind *:8443 ssl crt /etc/haproxy/ssl/casdoor.fullchain.pem
http-request redirect scheme https unless { ssl_fc }
default_backend casdoor
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend casdoor
balance roundrobin
server casdoor-server 127.0.0.1:8000 check- casdoor 创建应用
# 主要属性如下
名称:GitLab
回调URLs:https://gitlab.example.cn/users/auth/openid_connect/callback保存退出
- 配置 openid_connect 集成
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml','openid_connect']
gitlab_rails['omniauth_block_auto_created_users'] = true
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: "openid_connect", # do not change this parameter
label: "Casdoor OIDC", # optional label for login button, defaults to "Openid Connect"
args: {
name: "openid_connect",
scope: ["openid", "profile", "email"],
response_type: "code",
issuer: "casdoor.example.cn:8443",
client_auth_method: "query",
discovery: true,
uid_field: "preferred_username",
# uid_field: "sub",
client_options: {
identifier: "529c593e9bcead84152b",
secret: "ccce6a65a3b8129bd0c1c7ccffe2b1f7156c73bb",
redirect_uri: "https://gitlab.example.cn/users/auth/openid_connect/callback"
}
}
}
]- 测试登录
Example Project
What is the current bug behavior?
无法验证登录。
What is the expected correct behavior?
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)