Hello all I am using Kratos and GitLab oidc is the only way Ory Community #talk-kratos

Hello all, I am using Kratos and GitLab oidc is th...

enough-dusk-11343

12/13/2022, 10:26 PM

Hello all, I am using Kratos and GitLab oidc is the only way to login signup/signup method enabled. When I use it with GitLab.com: everyhting work as expected with the following configuration:

Copy code

oidc:
  enabled: true
  config:
    providers:
      - id: gitlab
        provider: gitlab
        client_id: REDACTED
        client_secret: REDACTED
        mapper_url: file:///etc/config/kratos/oidc.gitlab.jsonnet
        scope:
          - openid
          - email

Output in logs (it works!):

Copy code

mapper_jsonnet_output={
  "identity": {
    "traits": {
      "email": "REDACTED",
      "full_name": "REDACTED",
      "picture": "REDACTED",
      "username": "REDACTED",
      "website": "REDACTED"
    }
  }
}

But, when I try to use a GitLab self-hosted, same version than Gitlab.com, it doesn't have the same behavior. This is my configuration:

Copy code

oidc:
  enabled: true
  config:
    providers:
      - id: gitlab_REDACTED
        provider: generic
        issuer_url: <https://gitlab.REDACTED>
        client_id: REDACTED
        client_secret: REDACTED
        mapper_url: file:///etc/config/kratos/oidc.REDACTED.jsonnet
        scope:
          - openid
          - email

In this case, it doesn't work. Even with a user with several data in the self hosted version (nickname, website, picture, ...). Only email seems to be found in claim. Here is the output in logs:

Copy code

mapper_jsonnet_output={   
"identity": {                       
      "traits": {                      
         "email": "REDACTED"
      }                                
   }                                   
}

In both case, my mapper jsonnet configuration is the same:

Copy code

local claims = {
  email_verified: false,
} + std.extVar('claims');

{
  identity: {
    traits: {
      // Allowing unverified email addresses enables account
      // enumeration attacks, especially if the value is used for
      // e.g. verification or as a password login identifier.
      //
      // Therefore we only return the email if it (a) exists and (b) is marked verified
      // by GitLab.
      [if "email" in claims && claims.email_verified then "email" else null]: claims.email,
      [if "nickname" in claims then "username" else null]: claims.nickname,
      [if "name" in claims then "full_name" else null]: claims.name,
      [if "website" in claims then "website" else null]: claims.website,
      [if "picture" in claims then "picture" else null]: claims.picture,
    },
  },
}

I tried with several user account on the self hosted version and several self-hosted versions. • Does anyone have ideas of why there are different behavior ? • Does anyone know how I can display for debug all claims avaibles in the jsonnet mapper ?

enough-dusk-11343

12/14/2022, 8:40 AM

I found the solution ! If anyone is interested in the answer: instead of using

generic

provider, I needed to use

gitlab

provider, even for a self hosted. This is because Kratos is doing a specific behavior for GitLab:

Copy code

GitLab returns only the sub and sub_legacy claims in the id_token. Ory makes a request to GitLab's /oauth/userinfo API and adds the user info to std.extVar('claims').

That was indeed missing when I used

generic

provier type

magnificent-energy-493

12/14/2022, 11:20 AM

Hah great 🙂 yes a lot of OIDC providers do have some custom behaviour, glad you figured it out

9 Views

Open in Slack

Previous Next