Expose groups and email in OIDC id_token
Description
When using GitLab as an OpenID for Kubernetes it is not possible to set user or group level permissions because Kubernetes checks only the id_token (not userinfo endpoint)
Proposal
It would be very useful useful to expose the user email address and the GitLab groups in the id_token, so they could be used to set RBAC permissions in Kubernetes with --oidc-groups-claim groups
and --oidc-username-claim email
- Add a "group" scope, that when enabled adds a groups claim in the id_token
- Add an "email" scope, that when enabled includes an email claim in the id_token