Teleport Enterprise OIDC with gitlab self-hosted

Using a self-hosted gitlab as the oidc provider for teleport can be achieved by the following.

On the gitlab side as a gitlab admin, create an application. Be sure to update the domain portion of the URL to use the hostname/port where your teleport web proxy component is listening.

Callback URL : https://teleport.example.com:3080/v1/webapi/oidc/callback
Trusted : N
Confidential : Y
Scopes : openid, email

Note the client id and secret. Below is an example of the yaml connector to utilize (see OAuth2 and OIDC authentication for SSH for more details). The major difference between the oidc example in the docs and what is needed for gitlab is the prompt: '' bit. By default, teleport will include the optional oidc prompt parameter. Gitlab will throw an error if it is not sent to a blank string.

For the claim mapping, gitlab lists its claims here: GitLab as OpenID Connect identity provider | GitLab and a few examples have been included in this oidc connector example. Be sure to set your claim mapping, client secret, client id, and gitlab issuer URL.

# We recommend using oidc for G Suite, Auth 0 and Keyclock
#
kind: oidc
version: v2
metadata:
  name: gitlab
spec:
  redirect_url: "https://teleport.example.com:3080/v1/webapi/oidc/callback"
  client_id: 54c54e202f85dfc5e86fd8214503592d50ae96cf7bef26d06917ddeb5b7e79f5
  # Connector display name that will be appended to the title of "Login with"
  # button on the cluster login screen so it will say "Login with Google".
  # Teleport will provide custom CSS for 'Google'.
  display: Gitlab
  client_secret: 6a5b6ddcade7f2a7305e24a16829ac6db2c100cb6b179aa381e9952d6867911f

  # The root of the self-hosted gitlab installation.
  issuer_url: https://gitlab.example.com

  # By default, teleport will use the optional oidc prompt param.
  # Unfortunately, gitlab does not accept this, so it must be set to an empty
  # string here otherwise gitlab will throw an error.
  prompt: ''
  # here are two examples for mapping information from gitlab to teleport.
  # Gitlab documents its supported oidc claims here:
  # https://docs.gitlab.com/ee/integration/openid_connect_provider.html#shared-information
  # The roles must exist in teleport, or a login attempt will fail with an error.
  claims_to_roles:
    - {claim: "email", value: "bob@example.com", roles: ["admin"]}
    - {claim: "nickname", value: "sally99", roles: ["admin"]}
    - {claim: "groups", value: "developers", roles: ["developers", "qa"]}