Use dedicated signing key for CI_JOB_JWT (Vault Integration)
Release notes
At GitLab, we value making our features secure and best-in-class, which is why have introduced a dedicated signing key for HashiCorp Vault JSON Web Token (JWT) authentication method. You can rest assured knowing that the JWT cannot be used to impersonate another user through OpenID Connect.
Problem to solve
We should use dedicated signing key to sign Ci_JOB_JWT tokens to avoid any possible risks as pointed in #214607 (comment 325522240).
Proposal
- Add new encrypted attribute to
application_settings
to store the dedicated CI JWT signing key. - Implement the JWKS endpoint instead of delegating to
doorkeeper_openid_connect
. Make it return both keys. - Start using this new key to sign
CI_JOB_JWT
- In next release, remove OIDC signing key from the JWKS endpoint - https://gitlab.com/gitlab-org/gitlab/-/issues
The following discussion from !28063 (merged) should be addressed:
-
@ayufan started a discussion: (+7 comments) Is this OK to re-use
OpenID Signing Key
? Is that expected? If we ever gonna want to useCI_JOB_JWT_TOKEN
for our own purpose will that cause an issues, for example we will want to rotate this secret for various unrelated reasons, what will happen then?