diff --git a/knowledge base/gitlab/README.md b/knowledge base/gitlab/README.md
index 44737e4..59173cd 100644
--- a/knowledge base/gitlab/README.md
+++ b/knowledge base/gitlab/README.md
@@ -17,6 +17,7 @@
1. [Artifacts](#artifacts)
1. [Default artifacts expiration](#default-artifacts-expiration)
1. [Keep the latest artifacts for all jobs in the latest successful pipelines](#keep-the-latest-artifacts-for-all-jobs-in-the-latest-successful-pipelines)
+1. [Login via Google, Github or other services](#login-via-google-github-or-other-services)
1. [Troubleshooting](#troubleshooting)
1. [Use access tokens to clone projects](#use-access-tokens-to-clone-projects)
1. [GitLab keeps answering with code 502](#gitlab-keeps-answering-with-code-502)
@@ -784,6 +785,50 @@ in the latest successful pipelines_.
When disabling this feature, the latest artifacts do **not** immediately expire.
A new pipeline must run before the latest artifacts can expire and be deleted.
+## Login via Google, Github or other services
+
+Refer [OmniAuth].
+See also [Password authentication enabled] to disable authentication via local user.
+
+Users can sign in a GitLab server by using their credentials from Google, GitHub, and other popular services.
+
+GitLab uses the _OmniAuth_ Rack framework to provide this kind of integration.
+
+When configured, additional sign-in options are displayed on the sign-in page.
+
+When configuring an OmniAuth provider, one should also configure the settings that are common for all providers.
+Changes to those values will have **no** effect until the provider they reference is effectively configured.
+
+
+ Settings of interest
+
+| Option | Summary |
+| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `allow_single_sign_on` | When `true`, automatically creates GitLab accounts when signing in with OmniAuth.
When `false`, a GitLab account must be created first.
When an array, limit for what providers to act as it if was `true`. |
+| `auto_link_user` | Automatically link existing GitLab users to an OmniAuth provider if their emails match when authenticating through the provider.
Does **not** work with SAML. |
+| `block_auto_created_users` | When `true`, GitLab puts automatically-created users in a pending approval state until they are approved by an administrator.
In this state, users are unable to sign in. |
+| `enabled` | When `true`, enable usage of OmniAuth providers. |
+| `external_providers` | Define which OmniAuth providers will **not** grant access to _internal_ GitLab projects. |
+| `providers` | What providers to enable. |
+
+```rb
+gitlab_rails['omniauth_enabled'] = true
+gitlab_rails['omniauth_allow_single_sign_on'] = ['saml', 'google_oauth2']
+gitlab_rails['omniauth_block_auto_created_users'] = true
+gitlab_rails['omniauth_auto_link_user'] = ['google_oauth2', 'openid_connect']
+gitlab_rails['omniauth_allow_bypass_two_factor'] = ['google_oauth2']
+gitlab_rails['omniauth_sync_profile_from_provider'] = ['google_oauth2']
+gitlab_rails['omniauth_external_providers'] = ['saml']
+gitlab_rails['omniauth_providers'] = [{
+ name: 'google_oauth2',
+ app_id: '012345678901-abcdefghijklmnopqrstuvwxyz012345.apps.googleusercontent.com',
+ app_secret: 'GOCSPX-something',
+ args: { access_type: 'offline', approval_prompt: '' }
+}]
+```
+
+
+
## Troubleshooting
### Use access tokens to clone projects
@@ -905,9 +950,11 @@ Solution: set the correct ownership with
[install self-managed gitlab]: https://about.gitlab.com/install
[merge request approval rules]: https://docs.gitlab.com/ee/user/project/merge_requests/approvals/rules.html
[minimal minikube example values file]: https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/examples/values-minikube-minimum.yaml
+[OmniAuth]: https://docs.gitlab.com/integration/omniauth/
[operator code]: https://gitlab.com/gitlab-org/cloud-native/gitlab-operator
[operator guide]: https://docs.gitlab.com/operator/
[package configuration file template]: https://gitlab.com/gitlab-org/omnibus-gitlab/-/raw/master/files/gitlab-config-template/gitlab.rb.template
+[Password authentication enabled]: https://gitlab.com/help/administration/settings/sign_in_restrictions.md#password-authentication-enabled
[reset a user's password]: https://docs.gitlab.com/ee/security/reset_user_password.html
[restore gitlab]: https://docs.gitlab.com/ee/administration/backup_restore/restore_gitlab.html
[runners on kubernetes]: https://docs.gitlab.com/runner/install/kubernetes.html
diff --git a/knowledge base/oauth2.md b/knowledge base/oauth2.md
index 830ab50..7a14fc5 100644
--- a/knowledge base/oauth2.md
+++ b/knowledge base/oauth2.md
@@ -48,6 +48,35 @@ Intro
Refer [Setting up OAuth 2.0].
+> [!caution]
+> Google does **not** accept raw IP addresses.
+> Make sure the application is configured to use a fully-qualified domain name.
+
+1. Go to the _Clients_ part of the Google Auth Platform console.
+ [Direct link](https://console.cloud.google.com/auth/clients).
+1. In the upper-left corner, select a Google Cloud project if none is already.
+1. Select the _Create client_ button on top of the middle section.
+1. Complete the fields.
+
+
+ Example: GitLab
+
+ ```yml
+ Application type: Web application
+ Name: GitLab
+ Authorized JavaScript origins: https://gitlab.example.org
+ Authorized redirect URIs: # the domain name, followed by the callback URIs; add one at a time
+ https://gitlab.example.org/users/auth/google_oauth2/callback
+ https://gitlab.example.org/-/google_api/auth/callback
+ ```
+
+
+
+1. Select the _Create_ button.
+ A window will pop up with the client ID and client secret.
+1. Note the client ID and secret down or download the JSON.
+1. Configure the application as appropriate.
+
## Further readings
- [Website]