# Background GitLab implements an OpenID Connect provider ("OP") using the [`doorkeeper-openid_connect`](https://github.com/doorkeeper-gem/doorkeeper-openid_connect) gem. This provides the server-side part of the OIDC flow, and is enabled by default in Omnibus and [active on gitlab.com](https://gitlab.com/.well-known/openid-configuration). The OpenID Foundation provides certification for specific deployments. This involves provisioning a client app at https://op.certification.openid.net:60000/ and collecting the results. The certification also requires a fee: > A fee is required for certifications of both OpenID Providers and Relying Parties, unless the certification profile is still in the pilot phase. The fee is intentionally low, to encourage participation, but is there to help cover the ongoing costs of operating the certification program. The price to OpenID foundation members is US$ 200.00 per deployment. The price to non-members is US$ 999.00 for certifying a new deployment. However, the non-member price for certifying a new deployment of an already-certified implementation is only US$ 499.00. Benefits for getting gitlab.com certified: - Ensure we're conforming with the OIDC specs - Get listed as a certified provider - Reduce the work/fee for customers who want to get their own deployments certified - e.g. Siemens, who [originally contributed the OIDC implementation](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/8018), would be very interested in this (/cc @bufferoverflow) Relevant links: - https://openid.net/certification/ - https://openid.net/certification/instructions/ - https://openid.net/certification/faq/ # Proposal - Get certified under the "Basic OP" profile - Investigate whether we qualify for the "Implicit OP", "Hybrid OP", and "Config OP" profiles as well (as far as I remember, this might already be the case, or possible with some minor changes to either our configuration or the upstream gem) - As for "Dynamic OP", this involves functionality to automatically provision OAuth apps which is not implemented yet in the upstream gem, und would require major work