# GitLab

You can delegate authentication to GitLab using a dedicated GitLab OAuth application.

### Creating a GitLab OAuth app <a href="#creating-a-gitlab-oauth-app" id="creating-a-gitlab-oauth-app"></a>

You can find general instructions for creating a GitLab OAuth app [here](https://docs.gitlab.com/ee/integration/oauth_provider.html).

Specify the following settings in your OAuth app:

* **Name**: Your app’s name, such as SonarQube.
* **Redirect URL**: `<Your SonarQube URL>/oauth2/callback/gitlab`. For example, `https://sonarqube.mycompany.com/oauth2/callback/gitlab`.
* **Scopes**: select **api** and **read\_user**

After saving your application, GitLab takes you to the app’s page. Here you find your **Application ID** and **Secret**.

### Setting your authentication settings in SonarQube <a href="#setting-your-authentication-settings-in-sonarqube" id="setting-your-authentication-settings-in-sonarqube"></a>

* **Enabled**: Set to true.
* **GitLab URL**: <https://gitlab.com> for cloud version of Gitlab, otherwise your self-hosted GitLab server URL
* **Application ID**: The application ID is found on your GitLab app’s page.
* **Secret**: The secret is found on your GitLab app’s page.
* **Allow users to sign up**: enable to allow new users to authenticate. When disabled, only existing users will be able to authenticate to the server.
* **Allowed groups**: this is to restrict users allowed on SonarQube to certain GitLab groups. Only members of these groups (and sub-groups) will be allowed to authenticate. Please enter the group slug as it appears in the GitLab URL, for instance if the group URL is `https://gitlab.com/my-gitlab-group`, then enter `my-gitlab-group`.

{% hint style="warning" %}
If the Allowed groups are not entered, any user with a GitLab account can log in to the SonarQube instance (assuming **Allow users to sign up** is set to true).
{% endhint %}

* **Synchronize user groups**: For each GitLab group they belong to, users will be assigned to a group with the same name (if it exists) in SonarQube.\
  On SonarQube, groups you want to synchronize must be named according to their GitLab URL:
  * `https://gitlab.com/my-gitlab-group` → `my-gitlab-group`
  * `https://gitlab.com/my-gitlab-group/sub-group` → `my-gitlab-group/sub-group`

{% hint style="info" %}
When group synchronization is configured, the delegated authentication source becomes the only place to manage group membership, and the user’s groups are re-fetched with each login. It is not possible to use both manual group memberships and group synchronization (via your ALM integration) for the same user.
{% endhint %}