When oauth.provider is set to oidc, Vouch assumes that either username or email exists in the UserInfo response. If neither exists (as is the case with GitLab when scope=openid), structs.User.Username is the empty string and the /validate endpoint fails with "no User found in jwt".
Furthermore, the username (or email) claim is used as a unique identifier for the user (e.g., in the user whitelist). This is forbidden by section 5.7 of the core spec: "The sub (subject) and iss (issuer) Claims, used together, are the only Claims that an RP can rely upon as a stable identifier for the End-User, [...] other Claims such as email, phone_number, and preferred_username MUST NOT be used as unique identifiers for the End-User."
When
oauth.provideris set tooidc, Vouch assumes that eitherusernameoremailexists in the UserInfo response. If neither exists (as is the case with GitLab whenscope=openid),structs.User.Usernameis the empty string and the/validateendpoint fails with "no User found in jwt".Furthermore, the
username(oremail) claim is used as a unique identifier for the user (e.g., in the user whitelist). This is forbidden by section 5.7 of the core spec: "Thesub(subject) andiss(issuer) Claims, used together, are the only Claims that an RP can rely upon as a stable identifier for the End-User, [...] other Claims such asemail,phone_number, andpreferred_usernameMUST NOT be used as unique identifiers for the End-User."