From 904b6dd0834868ec260f40077623463926114373 Mon Sep 17 00:00:00 2001 From: Markus Koller Date: Wed, 13 Jun 2018 22:32:21 +0200 Subject: Don't hash user ID in OIDC subject claim --- doc/integration/openid_connect_provider.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'doc') diff --git a/doc/integration/openid_connect_provider.md b/doc/integration/openid_connect_provider.md index ad41be52045..a7f907254a1 100644 --- a/doc/integration/openid_connect_provider.md +++ b/doc/integration/openid_connect_provider.md @@ -5,11 +5,11 @@ to sign in to other services. ## Introduction to OpenID Connect -[OpenID Connect] \(OIC) is a simple identity layer on top of the +[OpenID Connect] \(OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on the authentication performed by GitLab, as well as to obtain basic profile information about the end-user in an interoperable and -REST-like manner. OIC performs many of the same tasks as OpenID 2.0, +REST-like manner. OIDC performs many of the same tasks as OpenID 2.0, but does so in a way that is API-friendly, and usable by native and mobile applications. @@ -23,14 +23,17 @@ are supported. ## Enabling OpenID Connect for OAuth applications Refer to the [OAuth guide] for basic information on how to set up OAuth -applications in GitLab. To enable OIC for an application, all you have to do +applications in GitLab. To enable OIDC for an application, all you have to do is select the `openid` scope in the application settings. +## Shared information + Currently the following user information is shared with clients: | Claim | Type | Description | |:-----------------|:----------|:------------| -| `sub` | `string` | An opaque token that uniquely identifies the user +| `sub` | `string` | The ID of the user +| `sub_legacy` | `string` | An opaque token that uniquely identifies the user

**Deprecation notice:** this token isn't stable because it's tied to the Rails secret key base, and is provided only for migration to the new stable `sub` value available from GitLab 11.1 | `auth_time` | `integer` | The timestamp for the user's last authentication | `name` | `string` | The user's full name | `nickname` | `string` | The user's GitLab username @@ -41,6 +44,8 @@ Currently the following user information is shared with clients: | `picture` | `string` | URL for the user's GitLab avatar | `groups` | `array` | Names of the groups the user is a member of +Only the `sub` and `sub_legacy` claims are included in the ID token, all other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients. + [OpenID Connect]: http://openid.net/connect/ "OpenID Connect website" [doorkeeper-openid_connect]: https://github.com/doorkeeper-gem/doorkeeper-openid_connect "Doorkeeper::OpenidConnect website" [OAuth guide]: oauth_provider.md "GitLab as OAuth2 authentication service provider" -- cgit v1.2.1