public

JFrog Artifactory: GitLab OAuth integration

Post Technical

Login to Artifactory using GitLab as an identity provider (OAuth).

Fabio Germann

4 years ago

Latest Post JFrog Artifactory: GitLab OAuth integration by Fabio Germann public

Motivation

Simplicity and ease of use are more important than ever - specifically considering the ever increasing number of different DevOps tools and systems in the modern developer landscape. With every tool or system there (usually) is an additional password.  To ease the life of everyone involved (and to avoid the ususal password risks) I was determined to setup Artifactory with a slef-hosted GitLab as an identity provider.

Setup

Out of the box Artifactory already supports some providers - LDAP, SAML and OAuth with GitHub, Google, CloudFoundry and OIDC - but sadly not GitLab!

A short google search revealed that it would be possible to use the generic OAuth integration with GitLab and Artifactory:

GitLab OAuth documentation
Artifactory OAuth documentation

The hurdle was to "plug" both systems "together".  After many rounds of trial and error and digging through documentation I found the following configuration steps to produce a working setup:

In GitLab create a new Application:

Callback URL: https://artifactory.example.com/artifactory/api/oauth2/loginResponse
Trusted: NO
Confidential: YES
Scopes: read_user, read_api, openid, profile, email
GitLab application setup.

In Artifactory create a new provider in OAuth SSO:

Provider Type: OpenID
Client ID: <GitLab application ID>
Secret: <GitLab application secret>
Auth URL: https://git.example.com/oauth/authorize
API URL: https://git.example.com/oauth/userinfo
Token URL: https://git.example.com/oauth/token
Configuration in Artifactory

Furthermore do not forget to enable OAuth in the Artifactory OAuth SSO settings and to allow "Auto Create Users". That should do the trick. It is now possible to log in to Artifactory using GitLab as an identity provider.

What works and what doesn't

Login and user creation works as expected but "advanced" features one might know from other integrations - like the automatic group creation or user/group mapping - are not available. From what I have heard from the JFrog customer support there is something on the roadmap for Artifactory but it might still take a while.

The following links were also considered when working on this topic. They do not relate directly to this solution but might still be of interest:
- https://www.jfrog.com/jira/browse/RTFACT-24909
- https://gitlab.com/gitlab-org/gitlab/-/issues/15282

Fabio Germann

Published 4 years ago

Previous Post

Diffusing the Flash "Bomb"

TechnicalPost