API endpoint to request an OIDC Token
Overview
To support ambient credential detection we should allow jobs to exchange a CI_JOB_TOKEN for a OIDC token. This would allow clients running in CI to perform parameterless authentication by detecting if they are running in GitLab CI using GITLAB_CI=true and then retrieving and OIDC token using CI_JOB_TOKEN.
Proposal
Implement new REST enpoint POST /api/v4/job/id_token which generates a JWT with Gitlab::Ci::JwtV2.for_build(current_authenticated_job, aud: request.aud).
Edited by Brian Williams