Skip to content

Add ability to use GitLab as an identity provider via OAuth2

According to this forum thread and the docs it is desired that GitLab can be used as an identity provider.

The current implementation does not allow for that. There is an OAuth2 flow with endpoints at /oauth/authorize and /oauth/token, but the only available scope is api, which gives the Client full API access on behalf of the user. This is very useful for applications that use the GitLab API on behalf of the user, but makes it impossible to use GitLab as an identity provider.

To do so, two things must be done:

  • A scope must be added that gives access only to identity information (usually the email address and a user ID)
  • A means of getting the identity information (and only that) with the token must be provided (usually the API call /user, but it should not return any private information like private_token)

Optionally, OpenID Connect (link goes to a description from Google) could be supported by adding a discovery document, naming the new scope openid and providing the user data together with the access token as a JSON Web Token.