Merge branch 'add-email-to-oidc-id-token' into 'master'

Add email and email_verified claims to OAuth ID tokens

Closes #21560

See merge request gitlab-org/gitlab!35468

changelogs/unreleased/add-email-to-oidc-id-token.yml

+---
+title: Add email and email_verified claims to OAuth ID token
+merge_request: 35468
+author: André Hänsel
+type: fixed

config/initializers/doorkeeper_openid_connect.rb

@@ -37,10 +37,10 @@ Doorkeeper::OpenidConnect.configure do
       # public email address (if present)
       # This allows existing solutions built for GitLab's old behavior to keep
       # working without modification.
-      o.claim(:email) do |user, scopes|
+      o.claim(:email, response: [:id_token, :user_info]) do |user, scopes|
         scopes.exists?(:email) ? user.email : user.public_email
       end
-      o.claim(:email_verified) do |user, scopes|
+      o.claim(:email_verified, response: [:id_token, :user_info]) do |user, scopes|
         if scopes.exists?(:email)
           user.primary_email_verified?
         elsif user.public_email?

doc/integration/openid_connect_provider.md

@@ -37,11 +37,11 @@ Currently the following user information is shared with clients:
 | `auth_time`      | `integer` | The timestamp for the user's last authentication
 | `name`           | `string`  | The user's full name
 | `nickname`       | `string`  | The user's GitLab username
-| `email`          | `string`  | The user's public email address
-| `email_verified` | `boolean` | Whether the user's public email address was verified
+| `email`          | `string`  | The user's email address<br>This is the user's *primary* email address if the application has access to the `email` claim and the user's *public* email address otherwise
+| `email_verified` | `boolean` | Whether the user's email address was verified
 | `website`        | `string`  | URL for the user's website
 | `profile`        | `string`  | URL for the user's GitLab profile
 | `picture`        | `string`  | URL for the user's GitLab avatar
 | `groups`         | `array`   | Names of the groups the user is a member of
 
-Only the `sub` and `sub_legacy` claims are included in the ID token, all other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients.
+The claims `sub`, `sub_legacy`, `email` and `email_verified` are included in the ID token, all other claims are available from the `/oauth/userinfo` endpoint used by OIDC clients.

spec/requests/openid_connect_spec.rb

@@ -146,8 +146,16 @@ RSpec.describe 'OpenID Connect requests' do
         expect(@payload['auth_time']).to eq user.current_sign_in_at.to_i
       end
 
+      it 'has public email in email claim' do
+        expect(@payload['email']).to eq(user.public_email)
+      end
+
+      it 'has true in email_verified claim' do
+        expect(@payload['email_verified']).to eq(true)
+      end
+
       it 'does not include any unknown properties' do
-        expect(@payload.keys).to eq %w[iss sub aud exp iat auth_time sub_legacy]
+        expect(@payload.keys).to eq %w[iss sub aud exp iat auth_time sub_legacy email email_verified]
       end
     end
 
@@ -211,5 +219,20 @@ RSpec.describe 'OpenID Connect requests' do
         expect(json_response['email_verified']).to eq(true)
       end
     end
+
+    context 'ID token payload' do
+      before do
+        request_access_token!
+        @payload = JSON::JWT.decode(json_response['id_token'], :skip_verification)
+      end
+
+      it 'has private email in email claim' do
+        expect(@payload['email']).to eq(user.email)
+      end
+
+      it 'has true in email_verified claim' do
+        expect(@payload['email_verified']).to eq(true)
+      end
+    end
   end
 end