2020-10-29 15:09:12 +00:00
---
2020-11-27 18:09:52 +00:00
stage: Create
group: Ecosystem
2020-11-26 06:09:20 +00:00
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2020-10-29 15:09:12 +00:00
---
2016-12-09 17:36:50 +00:00
# GitLab as OpenID Connect identity provider
This document is about using GitLab as an OpenID Connect identity provider
to sign in to other services.
## Introduction to OpenID Connect
2019-07-08 23:14:29 +00:00
[OpenID Connect ](https://openid.net/connect/ ) \(OIDC) is a simple identity layer on top of the
2016-12-09 17:36:50 +00:00
OAuth 2.0 protocol. It allows clients to verify the identity of the end-user
based on the authentication performed by GitLab, as well as to obtain
basic profile information about the end-user in an interoperable and
2018-06-13 20:32:21 +00:00
REST-like manner. OIDC performs many of the same tasks as OpenID 2.0,
2016-12-09 17:36:50 +00:00
but does so in a way that is API-friendly, and usable by native and
mobile applications.
2019-09-30 06:06:02 +00:00
On the client side, you can use [OmniAuth::OpenIDConnect ](https://github.com/jjbohn/omniauth-openid-connect/ ) for Rails
2019-07-08 23:14:29 +00:00
applications, or any of the other available [client implementations ](https://openid.net/developers/libraries/#connect ).
2016-12-09 17:36:50 +00:00
2020-04-06 12:10:44 +00:00
GitLab's implementation uses the [doorkeeper-openid_connect ](https://github.com/doorkeeper-gem/doorkeeper-openid_connect "Doorkeeper::OpenidConnect website" ) gem, refer
2016-12-09 17:36:50 +00:00
to its README for more details about which parts of the specifications
are supported.
## Enabling OpenID Connect for OAuth applications
2020-04-06 12:10:44 +00:00
Refer to the [OAuth guide ](oauth_provider.md ) for basic information on how to set up OAuth
2018-06-13 20:32:21 +00:00
applications in GitLab. To enable OIDC for an application, all you have to do
2016-12-09 17:36:50 +00:00
is select the `openid` scope in the application settings.
2018-06-13 20:32:21 +00:00
## Shared information
2016-12-09 17:36:50 +00:00
Currently the following user information is shared with clients:
| Claim | Type | Description |
|:-----------------|:----------|:------------|
2018-06-13 20:32:21 +00:00
| `sub` | `string` | The ID of the user
| `sub_legacy` | `string` | An opaque token that uniquely identifies the user< br >< br > **Deprecation notice:** this token isn't stable because it's tied to the Rails secret key base, and is provided only for migration to the new stable `sub` value available from GitLab 11.1
2016-12-09 17:36:50 +00:00
| `auth_time` | `integer` | The timestamp for the user's last authentication
| `name` | `string` | The user's full name
| `nickname` | `string` | The user's GitLab username
2020-07-09 12:08:56 +00:00
| `email` | `string` | The user's email address< br > This is the user's *primary* email address if the application has access to the `email` claim and the user's *public* email address otherwise
| `email_verified` | `boolean` | Whether the user's email address was verified
2016-12-09 17:36:50 +00:00
| `website` | `string` | URL for the user's website
| `profile` | `string` | URL for the user's GitLab profile
| `picture` | `string` | URL for the user's GitLab avatar
2017-05-30 06:06:00 +00:00
| `groups` | `array` | Names of the groups the user is a member of
2016-12-09 17:36:50 +00:00
2020-07-09 12:08:56 +00:00
The claims `sub` , `sub_legacy` , `email` and `email_verified` are included in the ID token, all other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients.