Draft: Cloud Connector with user JWT?
Based on [Investigation] Client <> AI Gateway Architectu... (gitlab-org/gitlab#434063) I created a sequence diagram that will potentially allow us to have a similar flow to SaaS, allowing direct calls to CC/AiGateway from the client
sequenceDiagram
autonumber
actor C as Client (IDE)
participant G as GitLab
participant CD as CustomersDot
box rgb(245, 245, 245) cloud.gitlab.com
participant CC as CloudConnector
participant AI as AI Gateway
end
rect rgba(179, 240, 255, .2)
alt SM instance?
Note over G,CD: Daily refresh instance JWT token sync job
loop Sync instance service token (daily)
activate G
G->>CD: POST `graphql/serviceToken`<br>with `licenseKey`
activate CD
CD->>CD: Verify cloud license, and if CS add-on is purchased
CD-->>G: return instance JWT, expires in 3 days
deactivate CD
G->>G: store the JWT token to the database
deactivate G
end
end
end
rect rgba(179, 240, 255, .2)
Note over C,CC: End user authentication
activate C
C->>G: POST GitLab<br>with "/cloud_connector_auth"
activate G
G->>G: authenticate with PAT
G->>G: verify user assigned to seat
alt SM instance?
G->>CC: POST cloud.gitlab.com/cloud_connector_auth<br>with instance JWT
activate CC
alt no cache for public keys?
CC->>CD: GET .well-known/openid-configuration
activate CD
CD->>CC: JWK URI
CC->>CD: GET oauth/discovery/keys
CD->>CC: public keys
deactivate CD
end
CC->>CC: Decode instance JWT token<br>with public keys
CC->>CC: issue 'user_jwt'
CC->>G: return 'user_jwt'
deactivate CC
else SaaS?
G->>G: issue 'user_jwt', expires: 1h
end
G->>C: return `user_jwt`
deactivate G
C->>C: store 'user_jwt'
deactivate C
end
rect rgba(179, 240, 255, .2)
Note over C, AI: Code suggestions requests
loop Each code suggestions request
activate C
alt token is about to expire?
C->>G: POST GitLab<br>with "cloud.gitlab.com/cloud_connector_auth"
alt SM instance?
activate G
G->>CC: POST cloud.gitlab.com/cloud_connector_auth<br>with instance JWT
activate CC
alt no cache for public keys?
CC->>CD: GET .well-known/openid-configuration
activate CD
CD->>CC: JWK URI
CC->>CD: GET oauth/discovery/keys
CD->>CC: public keys
deactivate CD
end
CC->>CC: Decode instance JWT token<br>with public keys
CC->>CC: issue 'user_jwt', expires: 1h
CC->>G: return 'user_jwt', expires: 1h
deactivate CC
else SaaS?
G->>G: issue 'user_jwt', expires: 1h
end
G->>C: return `user_jwt`, expires: 1h
deactivate G
deactivate C
end
critical request completions with 'user jwt'
activate C
C->>CC: POST cloud.gitlab.com/ai/completions<br>with `user jwt`
activate CC
alt no cache for public keys?
alt SM instance?
CC->>CC: public keys
else SaaS?
CC->>G: GET .well-known/openid-configuration
activate G
G->>CC: JWK URI
CC->>G: GET oauth/discovery/keys
G->>CC: public keys
deactivate G
end
end
CC->>CC: decode user JWT using CloudConnector or Gitlab public keys
CC->>AI: POST codesuggestions.gitlab.com/completions
activate AI
deactivate CC
AI->>C: Response
deactivate AI
end
deactivate C
end
end
Edited by Nikola Milojevic