ContextQMD
Back to Gitlabhq

GitLab as OpenID Connect identity provider

doc/integration/openid_connect_provider.md

18.11.23.9 KB
Original Source

{{< details >}}

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

{{< /details >}}

You can use GitLab as an OpenID Connect (OIDC) identity provider to access other services. OIDC is an identity layer that performs many of the same tasks as OpenID 2.0, but is API-friendly and usable by native and mobile applications.

Clients can use OIDC to:

  • Verify the identity of an end-user based on the authentication performed by GitLab.
  • Obtain basic profile information about the end-user in an interoperable and REST-like manner.

You can use OmniAuth::OpenIDConnect for Rails applications and there are many other available client implementations.

GitLab uses the doorkeeper-openid_connect gem to provide OIDC service. For more information, see the doorkeeper-openid_connect repository.

Enable OIDC for OAuth applications

To enable OIDC for an OAuth application, you need to select the openid scope in the application settings. For more information, see Configure GitLab as an OAuth 2.0 authentication identity provider.

Settings discovery

If your client can import OIDC settings from a discovery URL, GitLab provides endpoints to access this information:

  • For GitLab.com, use https://gitlab.com/.well-known/openid-configuration.
  • For GitLab Self-Managed, use https://<your-gitlab-instance>/.well-known/openid-configuration

Shared information

The following user information is shared with clients:

ClaimTypeDescriptionIncluded in ID TokenIncluded in userinfo endpoint
substringThe ID of the user{{< yes >}}{{< yes >}}
auth_timeintegerThe timestamp for the user's last authentication{{< yes >}}{{< no >}}
namestringThe user's full name{{< yes >}}{{< yes >}}
nicknamestringThe user's GitLab username{{< yes >}}{{< yes >}}
preferred_usernamestringThe user's GitLab username{{< yes >}}{{< yes >}}
emailstringThe user's primary email address{{< yes >}}{{< yes >}}
email_verifiedbooleanWhether the user's email address is verified{{< yes >}}{{< yes >}}
websitestringURL for the user's website{{< yes >}}{{< yes >}}
profilestringURL for the user's GitLab profile{{< yes >}}{{< yes >}}
picturestringURL for the user's GitLab avatar{{< yes >}}{{< yes >}}
groupsarrayPaths for the groups the user is a member of, either directly or through an ancestor group.{{< no >}}{{< yes >}}
groups_directarrayPaths for the groups the user is a direct member of.{{< yes >}}{{< no >}}
https://gitlab.org/claims/groups/ownerarrayNames of the groups the user is a direct member of with the Owner role{{< no >}}{{< yes >}}
https://gitlab.org/claims/groups/maintainerarrayNames of the groups the user is a direct member of with the Maintainer role{{< no >}}{{< yes >}}
https://gitlab.org/claims/groups/developerarrayNames of the groups the user is a direct member of with the Developer role{{< no >}}{{< yes >}}

The claims email and email_verified are included only if the application has access to the email scope and the user's public email address. All other claims are available from the /oauth/userinfo endpoint used by OIDC clients.