1 files changed, 21 insertions, 2 deletions

diff --git a/config/initializers/doorkeeper_openid_connect.rb b/config/initializers/doorkeeper_openid_connect.rb
index e97c0fcbd6b..fd5a62c39c6 100644
--- a/config/initializers/doorkeeper_openid_connect.rb
+++ b/config/initializers/doorkeeper_openid_connect.rb
@@ -31,8 +31,27 @@ Doorkeeper::OpenidConnect.configure do
 
       o.claim(:name)           { |user| user.name }
       o.claim(:nickname)       { |user| user.username }
-      o.claim(:email)          { |user| user.public_email }
-      o.claim(:email_verified) { |user| true if user.public_email? }
+
+      # Check whether the application has access to the email scope, and grant
+      # access to the user's primary email address if so, otherwise their
+      # public email address (if present)
+      # This allows existing solutions built for GitLab's old behavior to keep
+      # working without modification.
+      o.claim(:email) do |user, scopes|
+        scopes.exists?(:email) ? user.email : user.public_email
+      end
+      o.claim(:email_verified) do |user, scopes|
+        if scopes.exists?(:email)
+          user.primary_email_verified?
+        elsif user.public_email?
+          user.verified_email?(user.public_email)
+        else
+          # If there is no public email set, tell doorkicker-openid-connect to
+          # exclude the email_verified claim by returning nil.
+          nil
+        end
+      end
+
       o.claim(:website)        { |user| user.full_website_url if user.website_url? }
       o.claim(:profile)        { |user| Gitlab::Routing.url_helpers.user_url user }
       o.claim(:picture)        { |user| user.avatar_url(only_path: false) }