Merge branch 'feature/oidc-subject-claim' into 'master'

Don't hash user ID in OIDC subject claim

Closes #47791

See merge request gitlab-org/gitlab-ce!19784

1 files changed, 7 insertions, 2 deletions

diff --git a/config/initializers/doorkeeper_openid_connect.rb b/config/initializers/doorkeeper_openid_connect.rb
index 98e1f6e830f..ae5d834a02c 100644
--- a/config/initializers/doorkeeper_openid_connect.rb
+++ b/config/initializers/doorkeeper_openid_connect.rb
@@ -18,12 +18,17 @@ Doorkeeper::OpenidConnect.configure do
   end
 
   subject do |user|
-    # hash the user's ID with the Rails secret_key_base to avoid revealing it
-    Digest::SHA256.hexdigest "#{user.id}-#{Rails.application.secrets.secret_key_base}"
+    user.id
   end
 
   claims do
     with_options scope: :openid do |o|
+      o.claim(:sub_legacy, response: [:id_token, :user_info]) do |user|
+        # provide the previously hashed 'sub' claim to allow third-party apps
+        # to migrate to the new unhashed value
+        Digest::SHA256.hexdigest "#{user.id}-#{Rails.application.secrets.secret_key_base}"
+      end
+
       o.claim(:name)           { |user| user.name }
       o.claim(:nickname)       { |user| user.username }
       o.claim(:email)          { |user| user.public_email  }