gitlab-org--gitlab-foss/doc/integration/openid_connect_provider.md

---
stage: Manage
group: Authentication and Authorization
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---

# GitLab as OpenID Connect identity provider **(FREE)**

This document is about using GitLab as an OpenID Connect identity provider
to sign in to other services.

## Introduction to OpenID Connect

[OpenID Connect](https://openid.net/connect/) \(OIDC) is a simple identity layer on top of the
OAuth 2.0 protocol. It allows clients to:

- Verify the identity of the end-user based on the authentication performed by GitLab.
- Obtain basic profile information about the end-user in an interoperable and REST-like manner.

OIDC performs many of the same tasks as OpenID 2.0, but is API-friendly and usable by native and
mobile applications.

On the client side, you can use [OmniAuth::OpenIDConnect](https://github.com/jjbohn/omniauth-openid-connect/) for Rails
applications, or any of the other available [client implementations](https://openid.net/developers/libraries/#connect).

The GitLab implementation uses the [doorkeeper-openid_connect](https://github.com/doorkeeper-gem/doorkeeper-openid_connect "Doorkeeper::OpenidConnect website") gem, refer
to its README for more details about which parts of the specifications
are supported.

## Enabling OpenID Connect for OAuth applications

Refer to the [OAuth guide](oauth_provider.md) for basic information on how to set up OAuth
applications in GitLab. To enable OIDC for an application, all you have to do
is select the `openid` scope in the application settings.

## Settings discovery

If your client allows importing OIDC settings from a discovery URL, you can use
the following URL to automatically find the correct settings for GitLab.com:

```plaintext
https://gitlab.com/.well-known/openid-configuration
```

Similar URLs can be used for other GitLab instances.

## Shared information

The following user information is shared with clients:

| Claim            | Type      | Description |
|:-----------------|:----------|:------------|
| `sub`            | `string`  | The ID of the user |
| `auth_time`      | `integer` | The timestamp for the user's last authentication |
| `name`           | `string`  | The user's full name |
| `nickname`       | `string`  | The user's GitLab username |
| `email`          | `string`  | The user's email address<br>This is the user's *primary* email address if the application has access to the `email` claim and the user's *public* email address otherwise |
| `email_verified` | `boolean` | Whether the user's email address was verified |
| `website`        | `string`  | URL for the user's website |
| `profile`        | `string`  | URL for the user's GitLab profile |
| `picture`        | `string`  | URL for the user's GitLab avatar |
| `groups`         | `array`   | Paths for the groups the user is a member of, either directly or through an ancestor group. |
| `groups_direct`  | `array`   | Paths for the groups the user is a direct member of. |
| `https://gitlab.org/claims/groups/owner`      | `array`   | Names of the groups the user is a direct member of with Owner role |
| `https://gitlab.org/claims/groups/maintainer` | `array`   | Names of the groups the user is a direct member of with Maintainer role |
| `https://gitlab.org/claims/groups/developer`  | `array`   | Names of the groups the user is a direct member of with Developer role |

The claims `sub`, `sub_legacy`, `email`, `email_verified` and `groups_direct` are included in the ID token. All other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients.
Add latest changes from gitlab-org/gitlab@master 2020-10-29 11:09:12 -04:00			`---`
Add latest changes from gitlab-org/gitlab@master 2022-05-12 23:08:13 -04:00			`stage: Manage`
			`group: Authentication and Authorization`
Add latest changes from gitlab-org/gitlab@master 2020-11-26 01:09:20 -05:00			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments`
Add latest changes from gitlab-org/gitlab@master 2020-10-29 11:09:12 -04:00			`---`

Add latest changes from gitlab-org/gitlab@master 2021-02-17 13:09:19 -05:00			`# GitLab as OpenID Connect identity provider (FREE)`
Implement OpenID Connect identity provider 2016-12-09 12:36:50 -05:00
			`This document is about using GitLab as an OpenID Connect identity provider`
			`to sign in to other services.`

			`## Introduction to OpenID Connect`

Update redirected links to final destinations This updates redirected links in integration, update, user and workflow dirs. Should now link to final URLs to avoid redirect hops 2019-07-08 19:14:29 -04:00			`[OpenID Connect](https://openid.net/connect/) \(OIDC) is a simple identity layer on top of the`
Add latest changes from gitlab-org/gitlab@master 2021-01-27 19:09:33 -05:00			`OAuth 2.0 protocol. It allows clients to:`

			`- Verify the identity of the end-user based on the authentication performed by GitLab.`
			`- Obtain basic profile information about the end-user in an interoperable and REST-like manner.`

Add latest changes from gitlab-org/gitlab@master 2021-01-28 10:09:06 -05:00			`OIDC performs many of the same tasks as OpenID 2.0, but is API-friendly and usable by native and`
Implement OpenID Connect identity provider 2016-12-09 12:36:50 -05:00			`mobile applications.`

Add latest changes from gitlab-org/gitlab@master 2019-09-30 02:06:02 -04:00			`On the client side, you can use [OmniAuth::OpenIDConnect](https://github.com/jjbohn/omniauth-openid-connect/) for Rails`
Update redirected links to final destinations This updates redirected links in integration, update, user and workflow dirs. Should now link to final URLs to avoid redirect hops 2019-07-08 19:14:29 -04:00			`applications, or any of the other available [client implementations](https://openid.net/developers/libraries/#connect).`
Implement OpenID Connect identity provider 2016-12-09 12:36:50 -05:00
Add latest changes from gitlab-org/gitlab@master 2020-12-15 22:09:46 -05:00			`The GitLab implementation uses the [doorkeeper-openid_connect](https://github.com/doorkeeper-gem/doorkeeper-openid_connect "Doorkeeper::OpenidConnect website") gem, refer`
Implement OpenID Connect identity provider 2016-12-09 12:36:50 -05:00			`to its README for more details about which parts of the specifications`
			`are supported.`

			`## Enabling OpenID Connect for OAuth applications`

Add latest changes from gitlab-org/gitlab@master 2020-04-06 08:10:44 -04:00			`Refer to the [OAuth guide](oauth_provider.md) for basic information on how to set up OAuth`
Don't hash user ID in OIDC subject claim 2018-06-13 16:32:21 -04:00			`applications in GitLab. To enable OIDC for an application, all you have to do`
Implement OpenID Connect identity provider 2016-12-09 12:36:50 -05:00			is select the `openid` scope in the application settings.

Add latest changes from gitlab-org/gitlab@master 2021-12-15 07:10:49 -05:00			`## Settings discovery`

Add latest changes from gitlab-org/gitlab@master 2022-02-04 07:17:40 -05:00			`If your client allows importing OIDC settings from a discovery URL, you can use`
			`the following URL to automatically find the correct settings for GitLab.com:`
Add latest changes from gitlab-org/gitlab@master 2021-12-15 07:10:49 -05:00
			```plaintext
Add latest changes from gitlab-org/gitlab@master 2022-02-04 07:17:40 -05:00			`https://gitlab.com/.well-known/openid-configuration`
Add latest changes from gitlab-org/gitlab@master 2021-12-15 07:10:49 -05:00			```

Add latest changes from gitlab-org/gitlab@master 2022-02-04 07:17:40 -05:00			`Similar URLs can be used for other GitLab instances.`

Don't hash user ID in OIDC subject claim 2018-06-13 16:32:21 -04:00			`## Shared information`

Add latest changes from gitlab-org/gitlab@master 2021-01-27 19:09:33 -05:00			`The following user information is shared with clients:`
Implement OpenID Connect identity provider 2016-12-09 12:36:50 -05:00
			`\| Claim \| Type \| Description \|`
			`\|:-----------------\|:----------\|:------------\|`
Add latest changes from gitlab-org/gitlab@master 2021-12-29 04:10:20 -05:00			\| `sub` \| `string` \| The ID of the user \|
			\| `auth_time` \| `integer` \| The timestamp for the user's last authentication \|
			\| `name` \| `string` \| The user's full name \|
			\| `nickname` \| `string` \| The user's GitLab username \|
			\| `email` \| `string` \| The user's email address<br>This is the user's primary email address if the application has access to the `email` claim and the user's public email address otherwise \|
			\| `email_verified` \| `boolean` \| Whether the user's email address was verified \|
			\| `website` \| `string` \| URL for the user's website \|
			\| `profile` \| `string` \| URL for the user's GitLab profile \|
			\| `picture` \| `string` \| URL for the user's GitLab avatar \|
			\| `groups` \| `array` \| Paths for the groups the user is a member of, either directly or through an ancestor group. \|
			\| `groups_direct` \| `array` \| Paths for the groups the user is a direct member of. \|
			\| `https://gitlab.org/claims/groups/owner` \| `array` \| Names of the groups the user is a direct member of with Owner role \|
			\| `https://gitlab.org/claims/groups/maintainer` \| `array` \| Names of the groups the user is a direct member of with Maintainer role \|
			\| `https://gitlab.org/claims/groups/developer` \| `array` \| Names of the groups the user is a direct member of with Developer role \|
Implement OpenID Connect identity provider 2016-12-09 12:36:50 -05:00
Add latest changes from gitlab-org/gitlab@master 2021-09-02 05:11:35 -04:00			The claims `sub`, `sub_legacy`, `email`, `email_verified` and `groups_direct` are included in the ID token. All other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients.