OIDC sub claim is not stable
Summary
Hi,
I work on the OpenShift Auth team. A recent issue https://github.com/openshift/origin/issues/19937 brought the deprecation of the v3
API to my attention (used in https://docs.openshift.org/latest/install_config/configuring_authentication.html#GitLab). While it was ultimately decided to restore the v3
user endpoint https://gitlab.com/gitlab-org/gitlab-ce/issues/47565#note_80751232 (thanks!), I assume at some point we will need to move off that API. In general we do not want to use deprecated APIs. While I was looking into moving to the v4
API, I noticed that GitLab supports OIDC. This is the ideal long term solution for OpenShift since it removes GitLab specific logic and instead turns the integration into simple configuration based on the OIDC spec (which hopefully will not change over time). However, there is one critical difference between the user API and OIDC claim information. The sub
claim contains a hashed version of the user ID instead of ID itself (see https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/8018#note_21317804). It is unclear what value this obfuscation adds (the ID is not a secret since it can still be retrieved by other API endpoints). It does make it impossible for OpenShift to use GitLab's OIDC implementation because the hash is based on Rails.application.secrets.secret_key_base
, which can change over time. This makes it so that there is no stable ID field for OpenShift to use when mapping identities to users (for example, with the v3 API, we continue to work even if a user changes their GitLab username).
Per http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability:
The sub (subject) and iss (issuer) Claims, used together, are the only Claims that an RP can rely upon as a stable identifier for the End-User, since the sub Claim MUST be locally unique and never reassigned within the Issuer for a particular End-User, as described in Section 2. Therefore, the only guaranteed unique identifier for a given End-User is the combination of the iss Claim and the sub Claim.
As it stands, the sub
claim cannot be used as a stable identifier
for the user.
What is the current bug behavior?
The value of the sub
claim will change if Rails.application.secrets.secret_key_base
changes (for example, due to key rotation).
What is the expected correct behavior?
The value of the sub
claim should be stable per OAuth client.
Possible fixes
Change the code at https://gitlab.com/gitlab-org/gitlab-ce/blob/583ef9458c5e5c32a14629f5754bc53ed0ad8a33/config/initializers/doorkeeper_openid_connect.rb#L22 to simply use the user.id
as the sub
claim. If hashing the ID is required, use a per OAuth client salt that can never change.