Identity API
Problem to solve
During our CI/CD builds we would like to interact with a variety of services (e.g. deploying code, recording change, triggering monitoring downtime, etc.). All of these services require authentication to ensure only certain projects can perform certain operations.
Since each build is given a unique CI_JOB_TOKEN
which authenticates the build to the GitLab API, we were hoping to be able to trade that for a temporary credential that works with the services listed above. For our credential service to authenticate using the Job Token, we need to be able to validate the token works and which job/project/user it belongs to.
Proposal
A new API route that will return the current authenticated user or job via a 302 redirect depending on the type of token that is passed.
Using a Job Token
curl --header "JOB-TOKEN: 1234567890abcdefghij" -i https://gitlab.example.com/api/v4/whoami
HTTP/1.1 302 Found
Location: https://gitlab.example.com/api/v4/projects/1234/jobs/5678
Using a Private Token
curl --header "PRIVATE-TOKEN: 1234567890abcdefghij" -i https://gitlab.example.com/api/v4/whoami
HTTP/1.1 302 Found
Location: https://gitlab.example.com/api/v4/users/1234
Using an Expired Token
curl --header "JOB-TOKEN: abcdefghij1234567890" -i https://gitlab.example.com/api/v4/whoami
HTTP/1.1 401 Unauthorized
{"message":"401 Unauthorized"}
What does success look like, and how can we measure that?
An external service can identify which project/job a given Job Token belongs to (and is valid).