This proxy lets apps expecting a GitLab OAuth interface (e.g. Plane) authenticate users via Authentik using GitLab-compatible endpoints.
- Stateless, lightweight Rust implementation
- Minimal Docker image (scratch)
- Multi-arch builds (AMD64, ARM64) via GHCR
- Passes through Authentik tokens/userinfo as-is
/oauth/authorize: Redirects to Authentik's authorize endpoint./oauth/token: Exchanges code for Authentik tokens./api/v4/user: Returns user info in GitLab schema (from Authentik).
Set the following environment variables:
AUTHENTIK_URL=https://auth.example.com/application/o-
Add an OAuth2 application:
- Redirect URIs:
https://your.plane.instance/auth/gitlab/callback/ - Scopes:
openid email profile - Response type:
code - Grant type:
authorization_code - Client type: confidential
- Redirect URIs:
-
Attributes:
- Ensure these are included in the userinfo response (can be mapped in Authentik):
sub(unique user id)emailnameavatar_url(custom attribute, if desired)family_name(optional)
- Ensure these are included in the userinfo response (can be mapped in Authentik):
-
Customize userinfo response:
- In Authentik, go to your application > "User info attributes"
- Add mappings as needed:
sub: user.id email: user.email name: user.name avatar_url: user.avatar_url # If available family_name: user.family_name # If available
- Save and test the userinfo endpoint
Or pull from GHCR (after first pipeline run):
docker pull ghcr.io/smeetsee/authentik-gitlab-proxy:latestAdd a Traefik router/service for /oauth/* and /api/v4/user.
- This proxy does minimal transformation, relying on Authentik for token/userinfo logic.
- For advanced claim mapping, refer to Authentik’s documentation.