Investigate whether issuer claim for JWT tokens should be valid URLs
Problem Statement
Gitlab appears to use only the full hostname portion of the URL and omit the protocol prefix for the issuer claim (iss) when creating JWT tokens: https://gitlab.com/gitlab-org/gitlab/blob/v13.8.1-ee/lib/gitlab/ci/jwt.rb#L39
The JWT spec does not necessitate this to be a URL, so it doesn't seem wrong, eg: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1 / https://datatracker.ietf.org/doc/html/rfc7523#section-3
However, Kong's OIDC implementation appears to demand a URL: https://docs.konghq.com/hub/kong-inc/openid-connect/0.32-x#configissuer
config.issuer
[…] This parameter accepts only URLs.
Per the general OIDC spec the protocol/scheme looks expected: https://openid.net/specs/openid-connect-basic-1_0.html
What is the current behavior?
Authentication with the JWT token is being denied with a message: “invalid issuer was specified for access token, https:// was expected”
What is the expected behavior?
Authentication with the JWT token must succeed
Reach
I encountered this while performing the investigation for the customer who raised this ticket. At the minute I'm unaware of other cases, but it seems possible that our implementation is technically incorrect. That is also the customer's position.
Impact
Solving this problem will allow easy integration with Kong using JWT tokens to authenticate. Pending the outcome of the investigation, if we are indeed incorrectly omitting the prefixes for the issuer claim, this issue is likely to effect GitLab's ability to authenticate with other systems applying a stricter implementation of the OIDC specification.
Confidence
At this point I'm not very confident that this is a bug, but if it is, it is likely to occur for more customers and for other software systems as they harden their security and move to stricter implementations of the OIDC specification.