Skip to content

git over https does not work with crowd omniauth

Gitlab CE 12.3.5 (2417d5be) (docker container if that matters)

Crowd Omniauth config:

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['crowd']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
  {
    "name" => "crowd",
    "args" => {
      "crowd_server_url" => "https://crowd.server.url.tld",
      "application_name" => "appname",
      "application_password" => "secret_password"
    }
  }
]
  1. Log into Gitlab first time with existing crowd user.
  2. Create project with that user naming 'test-project'.
  3. Gitlab shows warning "You won't be able to pull or push project code via HTTPS until you set password on your account.
  4. Have a feeling that this must be wrong notification, because I had just logged in with password, omniauth is working and it does not make any sense that the same omniauth user/pass does not work for git over https operations.
  5. Test git clone https://gitlab.tld/username/test-project.git/ fatal: Authentication failed for 'https://gitlab.tld/username/test-project.git/'
  6. Check gitlab-rails production.log:
Processing by Projects::GitHttpController#info_refs as */*
  Parameters: {"service"=>"git-upload-pack", "namespace_id"=>"username", "project_id"=>"test-project.git"}
Filter chain halted as :authenticate_user rendered or redirected
Completed 401 Unauthorized in 16ms (Views: 1.3ms | ActiveRecord: 1.5ms | Elasticsearch: 0.0ms)
Started GET "/username/test-project.git/info/refs?service=git-upload-pack" for 10.255.0.2 at 2019-10-11 09:59:55 +0000
Processing by Projects::GitHttpController#info_refs as */*
  Parameters: {"service"=>"git-upload-pack", "namespace_id"=>"username", "project_id"=>"test-project.git"}
Filter chain halted as :authenticate_user rendered or redirected
Completed 401 Unauthorized in 297ms (Views: 0.7ms | ActiveRecord: 27.8ms | Elasticsearch: 0.0ms)
  1. Complete facepalm/wtf moment.

The entire idea of central user management (in this case Crowd) is that you have a single authentication/authorization source. Not being able to use omniauth credentials for git over https and requering separate password to be set in Gitlab makes no sense.

Desired/expected result: git over https is authenticated against crowd omniauth.