GitLab as OpenID Connect identity provider

This document is about using GitLab as an OpenID Connect identity provider to sign in to other services.

Introduction to OpenID Connect

OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to:

  • Verify the identity of the end-user based on the authentication performed by GitLab.
  • Obtain basic profile information about the end-user in an interoperable and REST-like manner.

OIDC performs many of the same tasks as OpenID 2.0, but is API-friendly and usable by native and mobile applications.

On the client side, you can use OmniAuth::OpenIDConnect for Rails applications, or any of the other available client implementations.

The GitLab implementation uses the doorkeeper-openid_connect gem, refer to its README for more details about which parts of the specifications are supported.

Enabling OpenID Connect for OAuth applications

Refer to the OAuth guide for basic information on how to set up OAuth applications in GitLab. To enable OIDC for an application, all you have to do is select the openid scope in the application settings.

Settings discovery

If your client allows importing OIDC settings from a discovery URL, you can use the following URL to automatically find the correct settings for GitLab.com:

https://gitlab.com/.well-known/openid-configuration

Similar URLs can be used for other GitLab instances.

Shared information

The following user information is shared with clients:

ClaimTypeDescriptionIncluded in ID TokenIncluded in userinfo endpoint
substringThe ID of the user Yes Yes
auth_timeintegerThe timestamp for the user’s last authentication Yes No
namestringThe user’s full name Yes Yes
nicknamestringThe user’s GitLab username Yes Yes
preferred_usernamestringThe user’s GitLab username Yes Yes
emailstringThe user’s email address
This is the user’s primary email address
Yes Yes
email_verifiedbooleanWhether the user’s email address was verified Yes Yes
websitestringURL for the user’s website Yes Yes
profilestringURL for the user’s GitLab profile Yes Yes
picturestringURL for the user’s GitLab avatar Yes Yes
groupsarrayPaths for the groups the user is a member of, either directly or through an ancestor group. No Yes
groups_directarrayPaths for the groups the user is a direct member of. Yes No
https://gitlab.org/claims/groups/ownerarrayNames of the groups the user is a direct member of with Owner role No Yes
https://gitlab.org/claims/groups/maintainerarrayNames of the groups the user is a direct member of with Maintainer role No Yes
https://gitlab.org/claims/groups/developerarrayNames of the groups the user is a direct member of with Developer role No Yes

The claims email and email_verified are only added if the application has access to the email claim and the user’s public email address, otherwise they are not included. All other claims are available from the /oauth/userinfo endpoint used by OIDC clients.