summaryrefslogtreecommitdiff
path: root/config
diff options
context:
space:
mode:
authorDouwe Maan <douwe@gitlab.com>2018-06-28 14:59:36 +0000
committerDouwe Maan <douwe@gitlab.com>2018-06-28 14:59:36 +0000
commit6be703dd59cd35fb94ee4496a2d52af696d8cd70 (patch)
treec7c7721420fea3f07a4ff0bee48c57b5e703b017 /config
parent50a213112ee422bea6673cf15a8c4829ac8700ee (diff)
parent904b6dd0834868ec260f40077623463926114373 (diff)
downloadgitlab-ce-6be703dd59cd35fb94ee4496a2d52af696d8cd70.tar.gz
Merge branch 'feature/oidc-subject-claim' into 'master'
Don't hash user ID in OIDC subject claim Closes #47791 See merge request gitlab-org/gitlab-ce!19784
Diffstat (limited to 'config')
-rw-r--r--config/initializers/doorkeeper_openid_connect.rb9
1 files changed, 7 insertions, 2 deletions
diff --git a/config/initializers/doorkeeper_openid_connect.rb b/config/initializers/doorkeeper_openid_connect.rb
index 98e1f6e830f..ae5d834a02c 100644
--- a/config/initializers/doorkeeper_openid_connect.rb
+++ b/config/initializers/doorkeeper_openid_connect.rb
@@ -18,12 +18,17 @@ Doorkeeper::OpenidConnect.configure do
end
subject do |user|
- # hash the user's ID with the Rails secret_key_base to avoid revealing it
- Digest::SHA256.hexdigest "#{user.id}-#{Rails.application.secrets.secret_key_base}"
+ user.id
end
claims do
with_options scope: :openid do |o|
+ o.claim(:sub_legacy, response: [:id_token, :user_info]) do |user|
+ # provide the previously hashed 'sub' claim to allow third-party apps
+ # to migrate to the new unhashed value
+ Digest::SHA256.hexdigest "#{user.id}-#{Rails.application.secrets.secret_key_base}"
+ end
+
o.claim(:name) { |user| user.name }
o.claim(:nickname) { |user| user.username }
o.claim(:email) { |user| user.public_email }
View Lorry Controller Status