GitLab as OpenID Connect identity provider

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed

You can use GitLab as an OpenID Connect (OIDC) identity provider to access other services. OIDC is an identity layer that performs many of the same tasks as OpenID 2.0, but is API-friendly and usable by native and mobile applications.

Clients can use OIDC to:

  • Verify the identity of an end-user based on the authentication performed by GitLab.
  • Obtain basic profile information about the end-user in an interoperable and REST-like manner.

You can use OmniAuth::OpenIDConnect for Rails applications and there are many other available client implementations.

GitLab uses the doorkeeper-openid_connect gem to provide OIDC service. For more information, see the doorkeeper-openid_connect repository.

Enable OIDC for OAuth applications

To enable OIDC for an OAuth application, you need to select the openid scope in the application settings. For more information , see Configure GitLab as an OAuth 2.0 authentication identity provider.

Settings discovery

If your client can import OIDC settings from a discovery URL, GitLab provides endpoints to access this information:

  • For GitLab.com, use https://gitlab.com/.well-known/openid-configuration.
  • For GitLab Self-Managed, use https://<your-gitlab-instance>/.well-known/openid-configuration

Shared information

The following user information is shared with clients:

Claim Type Description Included in ID Token Included in userinfo endpoint
sub string The ID of the user check-circle Yes check-circle Yes
auth_time integer The timestamp for the user’s last authentication check-circle Yes dotted-circle No
name string The user’s full name check-circle Yes check-circle Yes
nickname string The user’s GitLab username check-circle Yes check-circle Yes
preferred_username string The user’s GitLab username check-circle Yes check-circle Yes
email string The user’s primary email address check-circle Yes check-circle Yes
email_verified boolean Whether the user’s email address is verified check-circle Yes check-circle Yes
website string URL for the user’s website check-circle Yes check-circle Yes
profile string URL for the user’s GitLab profile check-circle Yes check-circle Yes
picture string URL for the user’s GitLab avatar check-circle Yes check-circle Yes
groups array Paths for the groups the user is a member of, either directly or through an ancestor group. dotted-circle No check-circle Yes
groups_direct array Paths for the groups the user is a direct member of. check-circle Yes dotted-circle No
https://gitlab.org/claims/groups/owner array Names of the groups the user is a direct member of with the Owner role dotted-circle No check-circle Yes
https://gitlab.org/claims/groups/maintainer array Names of the groups the user is a direct member of with the Maintainer role dotted-circle No check-circle Yes
https://gitlab.org/claims/groups/developer array Names of the groups the user is a direct member of with the Developer role dotted-circle No check-circle Yes

The claims email and email_verified are included only if the application has access to the email scope and the user’s public email address. All other claims are available from the /oauth/userinfo endpoint used by OIDC clients.