Gitlab OIDC registration does not work anymore

[david972]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

Since the additional claim verification, add OIDC Gitlab provider does not work anymore.
Gitlab does not provide issuer into the claim

Reproducing the bug

Steps to reproduce the behaviour:

1. configure OIDC with gitlab provider
2. try to register with gitlab

Relevant log output

time=2023-01-22T18:15:39Z level=error msg=An error occurred and is being forwarded to the error user interface. func=github.com/ory/x/logrusx.(*Logger).Logf file=/go/pkg/mod/github.com/ory/x@v0.0.531/logrusx/helper.go:125 audience=application error=map[debug: message:An internal server error occurred, please contact the system administrator reason:issuer not set in claims stack_trace:
github.com/ory/kratos/selfservice/strategy/oidc.(*Claims).Validate
	/go/src/github.com/ory/kratos/selfservice/strategy/oidc/provider.go:64
github.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).handleCallback

Relevant configuration

No response

Version

0.11.1

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes

Additional Context

No response

[nodakai]

My quick guess is that the merging logic should be fixed?

/oauth/token returns something like

{
  "access_token":"REDACTED",
  "token_type":"Bearer",
  "expires_in":7200,
  "refresh_token":"REDACTED",
  "scope":"openid",
  "created_at":1674539539,
  "id_token":"..."
}

where id_token is a JWT with a payload like

{
  "iss": "https://gitlab.com",
  "sub": "10861498",
  "aud": "my OIDC app/client ID in hex",
  "exp": 1674539659,
  "iat": 1674539539,
  "auth_time": 1674491362,
  "sub_legacy": "2ee1005759d96b7b00158b3bcfa74d0197e993e8ece97f97ea84c1e4d0c8c12b",
  "email": "nodakai@gmail.com",
  "email_verified": true,
  "groups_direct": [
    "REDACTED"
  ]
}

Note it does contain iss.

However /oauth/userinfo returns

{
  "sub": "10861498",
  "sub_legacy": "2ee1005759d96b7b00158b3bcfa74d0197e993e8ece97f97ea84c1e4d0c8c12b",
  "name": "Kai Noda",
  "nickname": "nodakai",
  "preferred_username": "nodakai",
  "email": "nodakai@gmail.com",
  "email_verified": true,
  "profile": "https://gitlab.com/nodakai",
  "picture": "https://gitlab.com/uploads/-/system/user/avatar/10861498/avatar.png",
  "groups": [
    "REDACTED"
  ],
  "https://gitlab.org/claims/groups/owner": [
    "REDACTED"
  ]
}

without iss (which, kind of, makes sense as it's a JSON payload of a REST API, it's obvious who issued it...)

[david972]

your proposal sound good to me

[Leon0402]

I'm running into the same issue

[aeneasr]

This seems like a regression from our fixes to potentially incorrect issuer/subject data coming from upstream providers (happened during the facebook outage). fyi @jonas-jonas @CaptainStandby

[thesuzerain]

I am still getting this on kratos v0.13.0 and the current version of Ory Network (made a new project from scratch and still get). Is it possible this is still an issue, or is there any other cause?

issuer not set in claims