Skip to main content


This document details how to use GitLab as an identity provider with Pomerium. It assumes you have already installed Pomerium.


While we do our best to keep our documentation up to date, changes to third-party systems are outside our control. Refer to GitLab as an OAuth 2.0 authentication service provider from GitLab's docs as needed, or let us know if we need to re-visit this page.

Setting up GitLab OAuth2 for your Application

  1. Log in to your GitLab account or create one here. If you're using a self-hosted instance, log in to your custom GitLab domain.

  2. From the User Settings area, select Applications. Create a new application:

    create an application

  3. Add a new application by setting the following parameters:

    NameThe name of your web app
    Redirect URIhttps://${authenticate_service_url}/oauth2/callback
    Scopesopenid, profile, email

    Click Save application.

  4. Your Application ID and Secret will be displayed:

    Gitlab OAuth Client ID and Secret

    Note the ID and Secret to apply in Pomerium's settings.

Pomerium Configuration

Edit your Pomerium configuration to provide the Client ID, secret, and domain (for self-hosted instances):

idp_provider: 'gitlab'
idp_client_id: 'REDACTED' # gitlab application ID
idp_client_secret: 'REDACTED' # gitlab application secret

Self-Hosted GitLab

Self-hosted CE/EE instances should be configured as a generic OpenID Connect provider:

idp_provider: oidc
idp_client_id: 'REDACTED'
idp_client_secret: 'REDACTED'
idp_scopes: openid,profile,email
idp_provider_url: # Base URL of GitLab instance

When a user first uses Pomerium to login, they are presented with an authorization screen:

gitlab access authorization screen

Custom Claim (Open Source)

Unfortunately, Gitlab does not support OpenID Connect, and does not support custom identity (id_token) group claims.