Skip to content

GitLab OpenId `id_token` missing user info claims

Summary

When trying to use Gitlab as OpenID Auth provider for other applications, the provided id_doken payload does not contain the user claims like name, email etc.

Steps to reproduce

  1. Create an application on GitLab by foing to User Settings -> Application. Select the OpenID for scopes also provide http://localhost as redirect URL. Note Client ID and Client Secret
  2. Hit the following URL to get the consent screen, and Authorize the APP https://gitlab/oauth/authorize?client_id=CLIENT_ID&redirect_uri=http://localhost&response_type=code&state=1&scope=openid After authorizing you will be redirected to URL like http://localhost?code= note the code for step 3. 3.Hit the following URL to get the tokens payload https://gitlab.com/oauth/token?client_id=606cbeb444aad14ab3123cd80a938b08254245a6fcf09da3b9d623b3ccca4984&client_secret=eb6ec0523f711721e286a4391450c48ca396b60ec2a95fc93dfe0379550acea7&code=d521629bd8b8c49b817bf29d1fccaaa46421ca528fcaa190e518aec84dda0da2&grant_type=authorization_code&redirect_uri=http://localhost note the value of id_token key in response.
  3. Go to http://jwt.io and paste the value of id_token value
  4. Observe that JWT Payload doesnt include any of the user profile claims like email name etc.

Example Project

https://gitlab.com/oauth/applications/113432 I am using this application for my tests.

What is the current bug behavior?

We get the id_token with payload like following

{
  "iss": "https://gitlab.example.com",
  "sub": "768d4eeae122ca6655c9127487d9c4cd85b079796d35d33753b3c15b93486044",
  "aud": "c3be56f955c74f0601683654df61ed3f74774902e2fb6da7ce05415b8a30e1d7",
  "exp": 1521463699,
  "iat": 1521463579,
  "auth_time": 1521456265
}

It does not include any profile claims like email, name etc.

What is the expected correct behavior?

The id_token payload should include claims for standard user attributes like email, groups, name etc. Also, the app owner should be able to decide what gets included in id_token via scope parameters like scope=openid email name which currently doesn't work.

Relevant logs and/or screenshots

Not Applicable

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Not Applicable

Results of GitLab application Check

Not Applicable

Possible fixes

Not Aware