Use GitHub as an OAuth 2.0 authentication provider

DETAILS: Tier: Free, Premium, Ultimate Offering: Self-managed

You can integrate your GitLab instance with GitHub.com and GitHub Enterprise. You can import projects from GitHub, or sign in to GitLab with your GitHub credentials.

Create an OAuth app in GitHub

To enable the GitHub OmniAuth provider, you need an OAuth 2.0 client ID and client secret from GitHub:

1. Sign in to GitHub.
2. Create an OAuth App and provide the following information:
   • The URL of your GitLab instance, such as https://gitlab.example.com.
   • The authorization callback URL, such as, https://gitlab.example.com/users/auth. Include the port number if your GitLab instance uses a non-default port.

Check for security vulnerabilities

For some integrations, the OAuth 2 covert redirect vulnerability can compromise GitLab accounts. To mitigate this vulnerability, append /users/auth to the authorization callback URL.

However, as far as we know, GitHub does not validate the subdomain part of the redirect_uri. Therefore, a subdomain takeover, an XSS, or an open redirect on any subdomain of your website could enable the covert redirect attack.

Enable GitHub OAuth in GitLab

1. Configure the common settings to add github as a single sign-on provider. This enables Just-In-Time account provisioning for users who do not have an existing GitLab account.

2. Edit the GitLab configuration file using the following information:

   GitHub setting	Value in the GitLab configuration file	Description
   Client ID	YOUR_APP_ID	OAuth 2.0 client ID
   Client secret	YOUR_APP_SECRET	OAuth 2.0 client secret
   URL	https://github.example.com/	GitHub deployment URL

   • For Linux package installations:

     1. Open the /etc/gitlab/gitlab.rb file.

        For GitHub.com, update the following section:

        gitlab_rails['omniauth_providers'] = [
          {
            name: "github",
            # label: "Provider name", # optional label for login button, defaults to "GitHub"
            app_id: "YOUR_APP_ID",
            app_secret: "YOUR_APP_SECRET",
            args: { scope: "user:email" }
          }
        ]

        For GitHub Enterprise, update the following section and replace https://github.example.com/ with your GitHub URL:

        gitlab_rails['omniauth_providers'] = [
          {
            name: "github",
            # label: "Provider name", # optional label for login button, defaults to "GitHub"
            app_id: "YOUR_APP_ID",
            app_secret: "YOUR_APP_SECRET",
            url: "https://github.example.com/",
            args: { scope: "user:email" }
          }
        ]

     2. Save the file and reconfigure GitLab.

   • For self-compiled installations:

     1. Open the config/gitlab.yml file.

        For GitHub.com, update the following section:

        - { name: 'github',
            # label: 'Provider name', # optional label for login button, defaults to "GitHub"
            app_id: 'YOUR_APP_ID',
            app_secret: 'YOUR_APP_SECRET',
            args: { scope: 'user:email' } }

        For GitHub Enterprise, update the following section and replace https://github.example.com/ with your GitHub URL:

        - { name: 'github',
            # label: 'Provider name', # optional label for login button, defaults to "GitHub"
            app_id: 'YOUR_APP_ID',
            app_secret: 'YOUR_APP_SECRET',
            url: "https://github.example.com/",
            args: { scope: 'user:email' } }

     2. Save the file and restart GitLab.

3. Refresh the GitLab sign-in page. A GitHub icon should display below the sign-in form.

4. Select the icon. Sign in to GitHub and authorize the GitLab application.

Troubleshooting

Imports from GitHub Enterprise with a self-signed certificate fail

When you import projects from GitHub Enterprise using a self-signed certificate, the imports fail.

To fix this issue, you must disable SSL verification:

1. Set verify_ssl to false in the configuration file.

   • For Linux package installations:

     gitlab_rails['omniauth_providers'] = [
       {
         name: "github",
         # label: "Provider name", # optional label for login button, defaults to "GitHub"
         app_id: "YOUR_APP_ID",
         app_secret: "YOUR_APP_SECRET",
         url: "https://github.example.com/",
         verify_ssl: false,
         args: { scope: "user:email" }
       }
     ]

   • For self-compiled installations:

     - { name: 'github',
         # label: 'Provider name', # optional label for login button, defaults to "GitHub"
         app_id: 'YOUR_APP_ID',
         app_secret: 'YOUR_APP_SECRET',
         url: "https://github.example.com/",
         verify_ssl: false,
         args: { scope: 'user:email' } }

2. Change the global Git sslVerify option to false on the GitLab server.

   • For Linux package installations running GitLab 15.3 and later:

     gitaly['gitconfig'] = [
        {key: "http.sslVerify", value: "false"},
     ]

   • For Linux package installations running GitLab 15.2 and earlier (legacy method):

     omnibus_gitconfig['system'] = { "http" => ["sslVerify = false"] }

   • For self-compiled installations running GitLab 15.3 and later, edit the Gitaly configuration (gitaly.toml):

     [[git.config]]
     key = "http.sslVerify"
     value = "false"

   • For self-compiled installations running GitLab 15.2 and earlier (legacy method):

     git config --global http.sslVerify false

3. Reconfigure GitLab if you installed using the Linux package, or restart GitLab if you self-compiled your installation.

Signing in using GitHub Enterprise returns a 500 error

This error can occur because of a network connectivity issue between your GitLab instance and GitHub Enterprise.

To check for a connectivity issue:

1. Go to the production.log on your GitLab server and look for the following error:

   Faraday::ConnectionFailed (execution expired)

2. Start the rails console and run the following commands. Replace <github_url> with the URL of your GitHub Enterprise instance:

   uri = URI.parse("https://<github_url>") # replace `GitHub-URL` with the real one here
   http = Net::HTTP.new(uri.host, uri.port)
   http.use_ssl = true
   http.verify_mode = 1
   response = http.request(Net::HTTP::Get.new(uri.request_uri))

3. If a similar execution expired error is returned, this confirms the error is caused by a connectivity issue. Make sure the GitLab server can reach your GitHub Enterprise instance.

Signing in using your GitHub account without a pre-existing GitLab account is not allowed

When you sign in to GitLab, you get the following error:

Signing in using your GitHub account without a pre-existing
GitLab account is not allowed. Create a GitLab account first,
and then connect it to your GitHub account

To fix this issue, you must activate GitHub sign-in in GitLab:

1. On the left sidebar, select your avatar.
2. Select Edit profile.
3. On the left sidebar, select Account.
4. In the Service sign-in section, select Connect to GitHub.