docs(oauth): surface and document GitLab login support#195
Merged
Conversation
- Add a GitLab OAuth section to .env.example and the configuration guide - Add a dedicated GitLab OAuth setup section and env-var reference rows - List GitLab as a supported provider across the README and project docs - Rewrite the "adding a provider" example off the now-built-in GitLab onto Google
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Contributor
There was a problem hiding this comment.
Pull request overview
Surfaces already-implemented GitLab OAuth login support by updating operator-facing documentation and example configuration, and removes stale language implying GitLab is a future addition.
Changes:
- Add
GITLAB_*environment variables to.env.exampleand the configuration docs. - Extend provider lists across docs to include GitLab and update OAuth-related prose/tutorials accordingly.
- Add a GitLab-specific setup section and env-var reference rows to
docs/OAUTH_SETUP.md.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
README.md |
Updates provider lists and the OAuth setup guide link description to include GitLab. |
docs/OAUTH_SETUP.md |
Adds GitLab setup steps, GitLab env-var reference rows, and rewrites the “adding a provider” tutorial. |
docs/CONFIGURATION.md |
Documents GitLab OAuth env vars and updates supported-provider text. |
CLAUDE.md |
Updates internal docs/provider lists to include GitLab. |
.env.example |
Adds a GitLab OAuth configuration block for discoverability. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Fix the GitLab application UI path and add the localhost HTTPS redirect caveat - Clarify that read_user returns the account primary email, not the public email - Use an inline endpoint in the add-a-provider example to avoid an extra dependency - Add GitLab to the architecture, metrics, and use-case provider lists - Correct the OAuth route paths documented in CLAUDE.md
- Scope the OAuth setup guide features to GitHub, Gitea, and GitLab walkthroughs - Point Microsoft Entra ID mentions to the configuration guide instead of implying coverage
- Scope auth_login_total auth_source to local and http_api, matching RecordLogin call sites - Describe the real post-login redirect (saved target or /account/sessions) instead of /device
- Note that same-email auto-linking only occurs for providers attesting verified email - Call out that GitLab and Gitea are treated as unverified and are not auto-linked
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
docs/OAUTH_SETUP.md:230
- This example implies GitHub+Gitea+GitLab can all be linked to the same AuthGate account. In the current implementation, GitLab and Gitea always report EmailVerified=false and therefore cannot be auto-linked by email; if an account already owns that email, an unverified provider login (with no existing OAuthConnection) fails due to the UNIQUE email constraint. Consider revising the example to avoid showing multiple unverified providers linked to the same account, or explicitly describe the ordering/limitation (e.g., start with one unverified provider account, then link verified providers).
- Local auth: alice / password123
- GitHub: alice-github (linked)
- Gitea: alice-work (linked)
- GitLab: alice-gitlab (linked)
All methods log into the same AuthGate account.
- Clarify unverified providers (GitLab, Gitea) sign in only to accounts already holding their connection - Note same-email creation fails on the unique-email constraint rather than making a separate account - Rework the multiple-provider scenario to show verified-email providers, since unverified ones cannot auto-link
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GitLab OAuth login has been fully implemented and tested in the codebase since PR #70 (provider in
internal/auth/oauth_gitlab.go, config fields, bootstrap registration, login button + tests), but the documentation and.env.examplenever caught up — so operators could not discover or configure it, and some text actively described GitLab as a future addition. This PR closes that documentation/config gap. No code, templates, or tests change..env.exampleand the configuration guide (GITLAB_OAUTH_ENABLED,GITLAB_URL,GITLAB_CLIENT_ID,GITLAB_CLIENT_SECRET,GITLAB_REDIRECT_URL,GITLAB_SCOPES)docs/OAUTH_SETUP.mdREADME.md,CLAUDE.md, and the docs; fix the stale "Easy to add GitLab" linedocs/ARCHITECTURE.md,docs/METRICS.md,docs/USE_CASES.md; fix the OAuth route paths inCLAUDE.md; correct the GitLab application UI path; clarifyread_userreturns the primary email; scopeauth_login_total'sauth_sourcelabel tolocal/http_api; correct the post-login redirect target; and clarify that same-email account linking requires a provider-verified email (GitLab/Gitea are unverified)AI Authorship
~/.claude/plans/support-gitlab-login-ancient-balloon.md).env.example,CLAUDE.md,README.md,docs/ARCHITECTURE.md,docs/CONFIGURATION.md,docs/METRICS.md,docs/OAUTH_SETUP.md,docs/USE_CASES.mdChange classification
Plan reference
Goal: make the already-working GitLab provider a first-class, discoverable, documented option. Operators can find
GITLAB_*settings in.env.example, follow a real GitLab setup section in the docs, and provider lists no longer omit GitLab or describe it as hypothetical. No functional changes. (Plan:~/.claude/plans/support-gitlab-login-ancient-balloon.md.)Verification
GITLAB_URL=https://gitlab.comand default scoperead_usermatchinternal/config/config.goandauth.NewGitLabProvider.go test ./internal/auth/...→ ok (no code touched; GitLab provider tests still pass).grepconfirms every provider list naming GitHub/Gitea/Microsoft now also names GitLab, and no remaining text claims GitLab is unsupported / "to be added".internal/bootstrap/router.go), metric labels (RecordLogin/RecordOAuthCallbackcall sites), redirect target (oauth_handler.go), and email-verified linking gate (internal/services/user.go).go build ./...fails only on the generatedapi(Swagger) package, which requiresmake generatein a fresh worktree — pre-existing and unrelated to this diff.Reviewer manual check: render the docs diff in GitHub preview; confirm the new "GitLab OAuth Setup" section reads consistently with the GitHub/Gitea sections, and that the rewritten "Adding More OAuth Providers" example no longer references built-in GitLab.
Risk & rollback
git revert— content-only commits.Reviewer guide
## GitLab OAuth Setupsection and the rewritten## Adding More OAuth Providerssection indocs/OAUTH_SETUP.md, plus the email-linking and metrics-label clarifications — these are the substantive prose to sanity-check against the implementation (internal/auth/oauth_gitlab.go,internal/bootstrap/oauth.go,internal/services/user.go).README.md,CLAUDE.md,docs/ARCHITECTURE.md,docs/METRICS.md,docs/USE_CASES.md,docs/CONFIGURATION.md, and the.env.exampleblock (mirrors the existing Gitea block).🤖 Generated with Claude Code