OIDC sub claim is not stable
I work on the OpenShift Auth team. A recent issue https://github.com/openshift/origin/issues/19937 brought the deprecation of the
v3 API to my attention (used in https://docs.openshift.org/latest/install_config/configuring_authentication.html#GitLab). While it was ultimately decided to restore the
v3 user endpoint https://gitlab.com/gitlab-org/gitlab-ce/issues/47565#note_80751232 (thanks!), I assume at some point we will need to move off that API. In general we do not want to use deprecated APIs. While I was looking into moving to the
v4 API, I noticed that GitLab supports OIDC. This is the ideal long term solution for OpenShift since it removes GitLab specific logic and instead turns the integration into simple configuration based on the OIDC spec (which hopefully will not change over time). However, there is one critical difference between the user API and OIDC claim information. The
sub claim contains a hashed version of the user ID instead of ID itself (see https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/8018#note_21317804). It is unclear what value this obfuscation adds (the ID is not a secret since it can still be retrieved by other API endpoints). It does make it impossible for OpenShift to use GitLab's OIDC implementation because the hash is based on
Rails.application.secrets.secret_key_base, which can change over time. This makes it so that there is no stable ID field for OpenShift to use when mapping identities to users (for example, with the v3 API, we continue to work even if a user changes their GitLab username).
The sub (subject) and iss (issuer) Claims, used together, are the only Claims that an RP can rely upon as a stable identifier for the End-User, since the sub Claim MUST be locally unique and never reassigned within the Issuer for a particular End-User, as described in Section 2. Therefore, the only guaranteed unique identifier for a given End-User is the combination of the iss Claim and the sub Claim.
As it stands, the
sub claim cannot be used as a
stable identifier for the user.
What is the current bug behavior?
The value of the
sub claim will change if
Rails.application.secrets.secret_key_base changes (for example, due to key rotation).
What is the expected correct behavior?
The value of the
sub claim should be stable per OAuth client.
Change the code at https://gitlab.com/gitlab-org/gitlab-ce/blob/583ef9458c5e5c32a14629f5754bc53ed0ad8a33/config/initializers/doorkeeper_openid_connect.rb#L22 to simply use the
user.id as the
sub claim. If hashing the ID is required, use a per OAuth client salt that can never change.