Don't hash user ID in OIDC subject claim

author: Markus Koller <markus.koller.ext@siemens.com> 2018-06-13 22:32:21 +0200
committer: Markus Koller <markus.koller.ext@siemens.com> 2018-06-28 15:31:47 +0200
commit: 904b6dd0834868ec260f40077623463926114373 (patch)
tree: 0b8070ec9c13908bfd9e72b3c832641b71a86340 /config
parent: f63e234b57e07e2020f9698f48c9515905d4b6a3 (diff)
download: gitlab-ce-904b6dd0834868ec260f40077623463926114373.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/config/initializers/doorkeeper_openid_connect.rb b/config/initializers/doorkeeper_openid_connect.rb
index 98e1f6e830f..ae5d834a02c 100644
--- a/config/initializers/doorkeeper_openid_connect.rb
+++ b/config/initializers/doorkeeper_openid_connect.rb
@@ -18,12 +18,17 @@ Doorkeeper::OpenidConnect.configure do
   end
 
   subject do |user|
-    # hash the user's ID with the Rails secret_key_base to avoid revealing it
-    Digest::SHA256.hexdigest "#{user.id}-#{Rails.application.secrets.secret_key_base}"
+    user.id
   end
 
   claims do
     with_options scope: :openid do |o|
+      o.claim(:sub_legacy, response: [:id_token, :user_info]) do |user|
+        # provide the previously hashed 'sub' claim to allow third-party apps
+        # to migrate to the new unhashed value
+        Digest::SHA256.hexdigest "#{user.id}-#{Rails.application.secrets.secret_key_base}"
+      end
+
       o.claim(:name)           { |user| user.name }
       o.claim(:nickname)       { |user| user.username }
       o.claim(:email)          { |user| user.public_email  }
author	Markus Koller <markus.koller.ext@siemens.com>	2018-06-13 22:32:21 +0200
committer	Markus Koller <markus.koller.ext@siemens.com>	2018-06-28 15:31:47 +0200
commit	904b6dd0834868ec260f40077623463926114373 (patch)
tree	0b8070ec9c13908bfd9e72b3c832641b71a86340 /config
parent	f63e234b57e07e2020f9698f48c9515905d4b6a3 (diff)
download	gitlab-ce-904b6dd0834868ec260f40077623463926114373.tar.gz