Skip to content

.well-known/openid-configuration missing supported claims

Problem

The well-known OIDC configuration endpoint returns an incomplete list of supported_claims. The endpoint is missing GitLab CI/CD-specific claims that are documented in the ID Token Authentication documentation.

Original report: https://forum.gitlab.com/t/well-known-openid-configuration-missing-supported-claims/93780/1

Current State

The .well-known/openid-configuration endpoint currently returns these claims:

[
  "sub",
  "auth_time", 
  "name",
  "nickname",
  "preferred_username",
  "email",
  "email_verified",
  "website",
  "profile",
  "picture",
  "groups",
  "groups_direct",
  "https://gitlab.org/claims/groups/owner",
  "https://gitlab.org/claims/groups/maintainer",
  "https://gitlab.org/claims/groups/developer"
]

Missing Claims

The following CI/CD-specific claims are missing from the discovery endpoint but are available in GitLab ID tokens:

  • project_id
  • project_path
  • namespace_id
  • namespace_path
  • user_id
  • user_login
  • user_email
  • user_access_level
  • job_project_id
  • job_project_path
  • job_namespace_id
  • job_namespace_path
  • user_identities
  • pipeline_id
  • pipeline_source
  • job_id
  • ref
  • ref_type
  • ref_path
  • ref_protected
  • environment
  • environment_protected
  • deployment_tier
  • environment_action
  • runner_id
  • runner_environment
  • sha
  • ci_config_ref_uri
  • ci_config_sha
  • project_visibility

Impact

This discrepancy affects:

  1. SLSA Phase 4 implementation - This is a blocker for SLSA Phase 4 work
  2. Trusted Publisher integrations - External services like PyPI that rely on the discovery endpoint for claim validation
  3. Third-party OIDC clients - Services that use the discovery endpoint to understand available claims for monitoring/alerting

Technical Context

GitLab has multiple OIDC implementations sharing the same discovery endpoint:

  1. GitLab as IdP (owned by groupauthentication) - User authentication claims
  2. GitLab as CI provider (owned by grouppipeline security) - CI/CD workflow claims

Related Work

Acceptance Criteria

  • The .well-known/openid-configuration endpoint includes all CI/CD claims documented in the ID Token Authentication guide
  • External services can discover and validate all available GitLab OIDC claims
  • The solution addresses the architectural considerations around multiple OIDC implementations
Edited by Aboobacker MK