GitLab

Setting this app up requires access to the GitLab configuration file (most likely /etc/gitlab/gitlab.rb) as well shell access for reconfiguring. Below are URLs used as placeholders for the GitLab and Pocket ID instances:

Pocket ID Setup

1. In Pocket ID, create a new OIDC client, named whatever you want.
2. (Optional) Set a logo for the OIDC client
3. Set the callback URL to https://gitlab.example.com/users/auth/openid_connect/callback
4. Copy the Client ID and Client Secret for the GitLab Setup

GitLab Setup

You can reference the GitLab documentation for OmniAuth for more information on OmniAuth. There is more detailed information of available features, such as group assignment, of OIDC here.

1. Open the config file in an editor of your choice
2. Either find the OmniAuth section of the config file (around line 579). These next few steps can be done by either uncommenting the options or adding new ones
3. Enable OmniAuth: gitlab_rails['omniauth_enabled'] = true
4. Allow single sign on: gitlab_rails['omniauth_allow_single_sign_on] = ['openid_connect']
5. Create a new provider:

After completing these edits to the configuration file, you will need to reconfigure GitLab:

Existing Accounts

After enabling OIDC, existing accounts will need to sign in with a username and password then link their OIDC. This is done from the Profile>Account page (https://gitlab.example.com/-/profile/account). Here, under the Service sign-in section should be a button to Connect Pocket ID, where you can login using Pocket ID. After you do this, you will be able to just use Pocket ID to sign in on the sign in page.

New Accounts

Depending on your GitLab instance's policies, your administrator may need to provision or enable each new account as they are created.