====== Keycloak ======
===== Интеграция с Gitlab =====
На стороне Keycloak заводим нового клиента:
{{ :common_linux:pasted:20230615-105231.png }}
Задаем имя клиента, RootURI b Valid Redirect URI:
{{ :common_linux:pasted:20230615-105505.png }}
Необходимые для работы Scopes: openid, profile, email
{{ :common_linux:pasted:20230615-105712.png }}

На стороне Gitlab редактируем файл /etc/gitlab/gitlab.rb:
<cli># nano /etc/gitlab/gitlab.rb</cli>
<code ruby>
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_user'] = ['openid_connect']

gitlab_rails['omniauth_providers'] = [
  {
    name: "openid_connect", # do not change this parameter
    label: "KeyCloak SSO", # optional label for login button, defaults to "Openid Connect"
    icon: "https://idm.virtlab.space/welcome-content/keycloak-project.png",
    args: {
      name: "openid_connect",
      scope: ["openid","profile","email"],
      response_type: "code",
      issuer: "https://idm.virtlab.space/realms/virtlab",
      discovery: true,
      client_auth_method: "query",
      uid_field: "email",
      send_scope_to_token_endpoint: "false",
      pkce: true,
      client_options: {
        identifier: "git.virtlab.space",
        secret: "client_secret_here",
        redirect_uri: "https://git.virtlab.space/users/auth/openid_connect/callback"
      }
    }
  }
]

</code>