Don't hash user ID in OIDC subject claim
What does this MR do?
Stop hashing the user ID in the OIDC sub (subject) claim and return the DB ID directly.
Are there points in the code the reviewer needs to double check?
This change could break existing apps that are already storing the value for identification purposes. To make migration possible we could also add the old sub value to the ID token under another key (let me know if this is desired, and what name you propose e.g. sub_legacy).
Why was this MR needed?
@monis in https://gitlab.com/gitlab-org/gitlab-ce/issues/47791:
The
subclaim contains a hashed version of the user ID instead of ID itself (see https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/8018#note_21317804). It is unclear what value this obfuscation adds (the ID is not a secret since it can still be retrieved by other API endpoints). It does make it impossible for OpenShift to use GitLab's OIDC implementation because the hash is based onRails.application.secrets.secret_key_base, which can change over time. This makes it so that there is no stable ID field for OpenShift to use when mapping identities to users (for example, with the v3 API, we continue to work even if a user changes their GitLab username).
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
API support added -
Tests added for this feature/bug - Conform by the code review guidelines
-
Has been reviewed by a UX Designer -
Has been reviewed by a Frontend maintainer -
Has been reviewed by a Backend maintainer -
Has been reviewed by a Database specialist
-
-
Conform by the merge request performance guides -
Conform by the style guides -
If you have multiple commits, please combine them into a few logically organized commits by squashing them -
Internationalization required/considered -
End-to-end tests pass ( package-and-qamanual pipeline job)
What are the relevant issue numbers?
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/47791
/cc @DouweM