Code suggestions: Get a token and send it to model gateway using Mediator

Problems to solve

Code suggestions: Authenticate and authorize WebIDE users to the Model Gateway

💡 Proposals

We have decided to move forward with OPTION 2.

Option 1 - OAuth2 Authorization Code with Proof Key for Code Exchange (PKCE)

• Register Code Suggestions for Web IDE as an instance-wide OAuth2 Application.

On initialisation

• User is redirected to /oauth/authorize endpoint.
• Since they already signed in and the application is trusted, this will be skipped.
• User is redirected to /oauth/ide/callback with the authorization_code.
• User is redirected to the /-/ide with the access_token in the config.
• Web IDE stores both tokens on the client side.

On autocomplete (user keystroke)

• Web IDE checks the access_token expiry, and calls the refresh endpoint if required.
• Web IDE calls Model Gateway API with the access_token.
• Model Gateway verifies the access_token with GitLab API and returns completions.

Sequence flow

Pros

• Allow Web IDE to work across domains
• Lean on established authorisation patterns
• Support for refresh token flow

Cons

• Only support stateful tokens, ie. non-JWT
• Require back channel call to GitLab to verify token validity

Option 2: Custom API endpoint to generate an access token

On initialisation

• Web IDE FE calls a GitLab API endpoint to authorise the user via session and returns a JWT token.
• Web IDE FE stores the access_token on the client side.

On autocomplete (user keystroke)

• Web IDE FE calls Model Gateway API with the access_token.
• Model Gateway checks the GitLab API public key cache.
• If the cache is not found or expired, Model Gateway calls the GitLab endpoint https://gitlab.com/oauth/discovery/keys to fetch the public key.
• Model Gateway verifies the access_token (JWT) with the public key and returns completions.

Sequence flow

Option 3: GitLab IDE controller to authorise and generate access tokens

On initialisation

• Web IDE BE authorises the user via session and returns a signed JWT token.
• Web IDE FE stores the access_token on the client side.

On autocomplete (user keystroke)

• Web IDE FE calls Model Gateway API with the access_token.
• Model Gateway checks the GitLab API public key cache.
• If the cache is not found or expired, Model Gateway calls the GitLab endpoint https://gitlab.com/oauth/discovery/keys to fetch the public key.
• Model Gateway verifies the access_token (JWT) with the public key and returns completions.

Sequence flow

⚔ Implementation plan

We are going ahead with Option 2 since it benefits greatly with the effort of consolidating VS Code Ext and Web IDE experience.

• GitLab API endpoint to issue token - gitlab#404427 (closed)
• Model Gateway authentication with JWT token - gitlab-org/modelops/applied-ml/code-suggestions/ai-assist#56 (closed)
• Authenticate Web IDE to Model Gateway - #140 (closed)

Discussions

1. Discussion !147 (comment 1308585839)