debian-mirror-gitlab/doc/integration/openid_connect_provider.md

---
stage: Ecosystem
group: Integrations
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---

# GitLab as OpenID Connect identity provider **(FREE)**

This document is about using GitLab as an OpenID Connect identity provider
to sign in to other services.

## Introduction to OpenID Connect

[OpenID Connect](https://openid.net/connect/) \(OIDC) is a simple identity layer on top of the
OAuth 2.0 protocol. It allows clients to:

- Verify the identity of the end-user based on the authentication performed by GitLab.
- Obtain basic profile information about the end-user in an interoperable and REST-like manner.

OIDC performs many of the same tasks as OpenID 2.0, but is API-friendly and usable by native and
mobile applications.

On the client side, you can use [OmniAuth::OpenIDConnect](https://github.com/jjbohn/omniauth-openid-connect/) for Rails
applications, or any of the other available [client implementations](https://openid.net/developers/libraries/#connect).

The GitLab implementation uses the [doorkeeper-openid_connect](https://github.com/doorkeeper-gem/doorkeeper-openid_connect "Doorkeeper::OpenidConnect website") gem, refer
to its README for more details about which parts of the specifications
are supported.

## Enabling OpenID Connect for OAuth applications

Refer to the [OAuth guide](oauth_provider.md) for basic information on how to set up OAuth
applications in GitLab. To enable OIDC for an application, all you have to do
is select the `openid` scope in the application settings.

## Shared information

The following user information is shared with clients:

| Claim            | Type      | Description |
|:-----------------|:----------|:------------|
| `sub`            | `string`  | The ID of the user
| `sub_legacy`     | `string`  | An opaque token that uniquely identifies the user<br><br>**Deprecation notice:** this token isn't stable because it's tied to the Rails secret key base, and is provided only for migration to the new stable `sub` value available from GitLab 11.1
| `auth_time`      | `integer` | The timestamp for the user's last authentication
| `name`           | `string`  | The user's full name
| `nickname`       | `string`  | The user's GitLab username
| `email`          | `string`  | The user's email address<br>This is the user's *primary* email address if the application has access to the `email` claim and the user's *public* email address otherwise
| `email_verified` | `boolean` | Whether the user's email address was verified
| `website`        | `string`  | URL for the user's website
| `profile`        | `string`  | URL for the user's GitLab profile
| `picture`        | `string`  | URL for the user's GitLab avatar
| `groups`         | `array`   | Names of the groups the user is a member of

The claims `sub`, `sub_legacy`, `email` and `email_verified` are included in the ID token, all other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients.
New upstream version 13.6.5 2021-01-29 00:20:46 +05:30			`---`
New upstream version 14.2.5+ds1 2021-10-27 15:23:28 +05:30			`stage: Ecosystem`
			`group: Integrations`
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments`
New upstream version 13.6.5 2021-01-29 00:20:46 +05:30			`---`

New upstream version 13.10.3+ds1 2021-04-17 20:07:23 +05:30			`# GitLab as OpenID Connect identity provider (FREE)`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
			`This document is about using GitLab as an OpenID Connect identity provider`
			`to sign in to other services.`

			`## Introduction to OpenID Connect`

New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`[OpenID Connect](https://openid.net/connect/) \(OIDC) is a simple identity layer on top of the`
New upstream version 13.9.3+ds1 2021-03-11 19:13:27 +05:30			`OAuth 2.0 protocol. It allows clients to:`

			`- Verify the identity of the end-user based on the authentication performed by GitLab.`
			`- Obtain basic profile information about the end-user in an interoperable and REST-like manner.`

			`OIDC performs many of the same tasks as OpenID 2.0, but is API-friendly and usable by native and`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`mobile applications.`

New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`On the client side, you can use [OmniAuth::OpenIDConnect](https://github.com/jjbohn/omniauth-openid-connect/) for Rails`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`applications, or any of the other available [client implementations](https://openid.net/developers/libraries/#connect).`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`The GitLab implementation uses the [doorkeeper-openid_connect](https://github.com/doorkeeper-gem/doorkeeper-openid_connect "Doorkeeper::OpenidConnect website") gem, refer`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`to its README for more details about which parts of the specifications`
			`are supported.`

			`## Enabling OpenID Connect for OAuth applications`

New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`Refer to the [OAuth guide](oauth_provider.md) for basic information on how to set up OAuth`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`applications in GitLab. To enable OIDC for an application, all you have to do`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			is select the `openid` scope in the application settings.

New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`## Shared information`

New upstream version 13.9.3+ds1 2021-03-11 19:13:27 +05:30			`The following user information is shared with clients:`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
			`\| Claim \| Type \| Description \|`
			`\|:-----------------\|:----------\|:------------\|`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			\| `sub` \| `string` \| The ID of the user
			\| `sub_legacy` \| `string` \| An opaque token that uniquely identifies the user<br><br>Deprecation notice: this token isn't stable because it's tied to the Rails secret key base, and is provided only for migration to the new stable `sub` value available from GitLab 11.1
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			\| `auth_time` \| `integer` \| The timestamp for the user's last authentication
			\| `name` \| `string` \| The user's full name
			\| `nickname` \| `string` \| The user's GitLab username
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			\| `email` \| `string` \| The user's email address<br>This is the user's primary email address if the application has access to the `email` claim and the user's public email address otherwise
			\| `email_verified` \| `boolean` \| Whether the user's email address was verified
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			\| `website` \| `string` \| URL for the user's website
			\| `profile` \| `string` \| URL for the user's GitLab profile
			\| `picture` \| `string` \| URL for the user's GitLab avatar
New upstream version 10.6.0+dfsg 2018-03-27 19:54:05 +05:30			\| `groups` \| `array` \| Names of the groups the user is a member of
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			The claims `sub`, `sub_legacy`, `email` and `email_verified` are included in the ID token, all other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients.