Custom scopes for GitLab as OpenID Connect identity provider
Problem to solve
GitLab can currently act as an OIDC provider. However, currently OIDC scopes are hardcoded and it is not possible to add custom scopes.
It may be desirable for Gitlab to allow project maintainers to attach custom scopes to CI and deploy tokens. This could allow CI/CD processes to easily authenticate with external systems without having to deal with shared secrets when a better alternative is available.
Target audience
DevOps Engineer, Software Developer
Further details
n/a
Proposal
I would propose that Gitlab allow project maintainers to add custom scopes to CI and deploy tokens.
One use case for me would be to have Gitlab CI authenticate against an internal pypiserver instance which we use to store our internal python packages, without having to use a shared secret between the two systems.
My pypiserver instance could act as an OIDC client, and my Gitlab CI jobs could authenticate against it with a valid access token, and authorize with an agreed upon scope i.e. <project-slug>-pypi
or whatever.
What does success look like, and how can we measure that?
As a GitLab user, I would like to be able to add custom scopes to CI and deploy tokens.