AuthenticationOAuth providers
GitLab
Sign in with GitLab accounts, including self-hosted instances.
Get credentials
Create an application
For gitlab.com: Go to gitlab.com/-/profile/applications.
For a self-hosted instance: Go to your instance URL, then User Settings > Applications.
- Name: your app name
- Redirect URI:
https://auth.example.com/auth/oauth/gitlab/callback - Scopes: check
read_userandemail
Copy credentials
After saving, copy the Application ID and Secret.
Configuration
import { createKavach } from '@kavachos/core';
import { oauth } from '@kavachos/core/plugins/oauth';
const kavach = await createKavach({
database: { provider: 'postgres', url: process.env.DATABASE_URL! },
secret: process.env.KAVACH_SECRET!,
baseUrl: 'https://auth.example.com',
plugins: [
oauth({
providers: [
{
id: 'gitlab',
clientId: process.env.GITLAB_CLIENT_ID!,
clientSecret: process.env.GITLAB_CLIENT_SECRET!,
},
],
}),
],
});oauth({
providers: [
{
id: 'gitlab',
clientId: process.env.GITLAB_CLIENT_ID!,
clientSecret: process.env.GITLAB_CLIENT_SECRET!,
// Point to your GitLab instance
authorizationUrl: 'https://gitlab.yourcompany.com/oauth/authorize',
tokenUrl: 'https://gitlab.yourcompany.com/oauth/token',
userInfoUrl: 'https://gitlab.yourcompany.com/api/v4/user',
},
],
})GITLAB_CLIENT_ID=...
GITLAB_CLIENT_SECRET=...Scopes
Default scopes: read_user email
| Scope | What it unlocks |
|---|---|
read_user | Read the user's profile |
email | Read the user's primary email |
read_api | Read access to the API |
read_repository | Read repository data |
User data returned
| Field | Source | Notes |
|---|---|---|
id | id field | Stable numeric GitLab user ID |
email | email field | Primary email |
name | name field | Display name |
image | avatar_url field | Profile picture URL |
For self-hosted GitLab instances, make sure your KavachOS server can reach the GitLab API. If you are behind a VPN or firewall, the token exchange and user info calls will fail if the instance is not reachable from your server.