GitLab as OpenID Connect identity provider

  • Tier: Free, Premium, Ultimate
  • Offering: GitLab.com, GitLab Self-Managed

You can use GitLab as an OpenID Connect (OIDC) identity provider to access other services. OIDC is an identity layer that performs many of the same tasks as OpenID 2.0, but is API-friendly and usable by native and mobile applications.

Clients can use OIDC to:

  • Verify the identity of an end-user based on the authentication performed by GitLab.
  • Obtain basic profile information about the end-user in an interoperable and REST-like manner.

You can use OmniAuth::OpenIDConnect for Rails applications and there are many other available client implementations.

GitLab uses the doorkeeper-openid_connect gem to provide OIDC service. For more information, see the doorkeeper-openid_connect repository.

Enable OIDC for OAuth applications

To enable OIDC for an OAuth application, you need to select the openid scope in the application settings. For more information , see Configure GitLab as an OAuth 2.0 authentication identity provider.

Settings discovery

If your client can import OIDC settings from a discovery URL, GitLab provides endpoints to access this information:

  • For GitLab.com, use https://gitlab.com/.well-known/openid-configuration.
  • For GitLab Self-Managed, use https://<your-gitlab-instance>/.well-known/openid-configuration

Shared information

The following user information is shared with clients:

ClaimTypeDescriptionIncluded in ID TokenIncluded in userinfo endpoint
substringThe ID of the usercheck-circle Yescheck-circle Yes
auth_timeintegerThe timestamp for the user’s last authenticationcheck-circle Yesdotted-circle No
namestringThe user’s full namecheck-circle Yescheck-circle Yes
nicknamestringThe user’s GitLab usernamecheck-circle Yescheck-circle Yes
preferred_usernamestringThe user’s GitLab usernamecheck-circle Yescheck-circle Yes
emailstringThe user’s primary email addresscheck-circle Yescheck-circle Yes
email_verifiedbooleanWhether the user’s email address is verifiedcheck-circle Yescheck-circle Yes
websitestringURL for the user’s websitecheck-circle Yescheck-circle Yes
profilestringURL for the user’s GitLab profilecheck-circle Yescheck-circle Yes
picturestringURL for the user’s GitLab avatarcheck-circle Yescheck-circle Yes
groupsarrayPaths for the groups the user is a member of, either directly or through an ancestor group.dotted-circle Nocheck-circle Yes
groups_directarrayPaths for the groups the user is a direct member of.check-circle Yesdotted-circle No
https://gitlab.org/claims/groups/ownerarrayNames of the groups the user is a direct member of with the Owner roledotted-circle Nocheck-circle Yes
https://gitlab.org/claims/groups/maintainerarrayNames of the groups the user is a direct member of with the Maintainer roledotted-circle Nocheck-circle Yes
https://gitlab.org/claims/groups/developerarrayNames of the groups the user is a direct member of with the Developer roledotted-circle Nocheck-circle Yes

The claims email and email_verified are included only if the application has access to the email scope and the user’s public email address. All other claims are available from the /oauth/userinfo endpoint used by OIDC clients.