Where to get Gitlab's OpenID ID Token?

0
votes

Using Gitlab provided access tokens for the OpenID scope, i.e.

https://gitlab.com/oauth/userinfo?access_token=<bearer token>

returns a limited amount of information e.g. username, groups, etc. However, it does not return the user's email address.
The Gitlab documentation indicates that:

The claims sub, sub_legacy, email and email_verified are included in the ID token, all other claims are available from the /oauth/userinfo endpoint used by OIDC clients.

Given the AccessToken - how do I retrieve the ID token?

*This is a known / discussed issue cf. here

2
oauth-2.0gitlabopenid-connect

2 Answers

1
votes

It all depends on what scopes you ask for when you first send the initial authentication request to GitLab.

You need to ask for the email scope to get that information back and you should get the ID-token back at the same time as you get your first access-token.

0
votes

  1. When you obtain code through authorization request, you need to specify the scope, and the scope needs to include openid,read_user,profile,email.

  2. When exchanging the token with the code obtained in the first step, you can return to access_token and id_token.

  3. When the access_token obtained in the second step is used to obtain the user information, it can return the user's e-mail.

Refer to the explanation of the scope used above:

  • openid: Grants permission to authenticate with GitLab using OpenID Connect. Also gives read-only access to the user's profile and group memberships.
  • read_user: Grants read-only access to the authenticated user's profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users.
  • profile: Grants read-only access to the user's profile data using OpenID Connect.
  • email: Grants read-only access to the user's primary email address using OpenID Connect.