Document risk of a static `aud` value in a JSON Web Token (JWT)
Problem to solve
As brought up in this discussion by @AdamusJ a static value (or empty value) in the aud
field of a JSON Web Token can enable one Relying Party (RP) to use a received token against another Relying Party (RP). As GitLab's implementation of CI_JOB_JWT
does not contain an aud
value and CI_JOB_JWT_V2
contains a statically set value this risk should be documented.
Statically set
aud
is potential security hole. If you will make trust via JWT against 2 services (2 clouds, cloud+vault instance etc.),aud
is (by OICD spec) field which ensures, token sent to first service could not be sucessfuly validated if proxied to second service. I understand, this is rare use case and "little" security hole, but I think it should be pointed to in documentation after release. There is possiiblity to make such setup secure by explicitely splitting each service communications to two jobs. It would lead to ability to distinguish between this token by another claims (I belive previous token had job name included for example).
Further details
Proposal
Document the risk where CI_JOB_JWT*
is referenced.