GitLab as OpenID Connect IdP (identity provider)
Description
OAuth2 is not a real standard, all applications using an OAuth2 Identity Provider such as GitLab have to implement the specific flavor per provider to get e.g. the user profile. Open ID Connect is an extension to OAuth2 using JSON Web Token and the standardized scope openid. This enables simple cross vendor scenarios without implementing custom glue code per provider on client side. Adding OpenID Connect IdP functionality would simplify the usage of GitLab as identity provider by supporting a standard protocol that is already widely adopted and standardized.
Benefits:
- GitLab can be used as IdP without requiring a GitLab-specific client implementation
- OpenID Connect can replace more complicated/inefficient solutions like SAML
Proposal
- Improve the doorkeeper-openid_connect gem
- clean up code, add missing specs and documentation
- possibly implement additional useful specs (Discovery, WebFinger)
- Build a basic example application to pass the conformance test for the core specs
- Integrate the gem into GitLab and pass the conformance test
- Get self-certification or official certification for GitLab
Links / references
- https://gitlab.com/gitlab-org/gitlab-ce/issues/15658: concerns regarding scope api which is too wide
- https://gitlab.com/gitlab-org/gitlab-ce/issues/1940: issue about using a Open ID connect IdP to authorize
- doorkeeper-gem/doorkeeper#339, doorkeeper-gem/doorkeeper#553
- Certification process to ensure interoperability across vendors
- Specifications
- Overview of OAuth and OpenID Connect concepts