Rundeck CE with OAuth

25 Jul 2024

As you maybe know is the official Rundeck OAuth only available in the Enterprise version of Rundeck but there is a workaround available by using the preauth headers, which are available in Rundeck CE, OAuth2-Proxy and NginX. I build a docker container which can be configured with the necessary requirements and which will start Rundeck with OAuth2.

Example with GitLab as OAuth Provider

  1. Create a user-owned, group-owned or instance-wide application
    Gitlab_Application You need to save the Application ID (use as RUNDECK_OAUTH_CLIENT_ID) and the Secret (use as RUNDECK_OAUTH_CLIENT_SECRET). The Callback URL should be the same as your RUNDECK_GRAILS_URL plus "/oauth2/callback". The Callback URL can be changed at any time and only for local testing it should be set to localhost.
    Following Scopes need to be set:
    • api (Access the API on your behalf)
    • read_api (Read Api)
    • read_user (Read your personal information)
    • openid (Authenticate using OpenID Connect)
    • profile (Allows read-only access to the user's personal information using OpenID Connect)
    • email (Allows read-only access to the user's primary email address using OpenID Connect)
  2. The RUNDECK_OAUTH_COOKIE_SECRET can be self created by using 
    python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'

    as described in the OAuth2-Proxy documentation which is used to secure your cookies.

  3. The RUNDECK_OAUTH_OIDC_URL is your GitLab url with protocol https://gitlab.my-organisation.com for example
  4. As RUNDECK_OAUTH_ADMIN_GROUP you need to use a group from GitLab where your user is a member. Otherwise only the admin group will have admin priviledges and you can't do anything in Rundeck because your user is not part of this group.
  5. Now start the container with 
    docker run -it --rm --name rundeck-oauth -p 8080:80 \  
-e RUNDECK_GRAILS_URL=http://localhost:8080 \  
-e RUNDECK_PREAUTH_ENABLED=true \  
-e RUNDECK_OAUTH_CLIENT_ID="xxxxxx" \  
-e RUNDECK_OAUTH_CLIENT_SECRET="gloas-xxxxxx" \  
-e RUNDECK_OAUTH_COOKIE_SECRET="xxxxx" \  
-e RUNDECK_OAUTH_OIDC_URL="https://gitlab.my-organisation.com" \  
-e RUNDECK_OAUTH_ADMIN_GROUP="rundeck" \  
ghcr.io/geraldhansen/rundeck-oauth
  6. If you open your browser now on http://localhost:8080 you should see the GitLab login option
    SignIn_with_GitLab There you need to authorize your local Rundeck
    Authorize_Rundeck_OAuth_Login Finally you should see your Rundeck Web Interface