API endpoint to request an OIDC Token

Overview

To support ambient credential detection we should allow jobs to exchange a CI_JOB_TOKEN for a OIDC token. This would allow clients running in CI to perform parameterless authentication by detecting if they are running in GitLab CI using GITLAB_CI=true and then retrieving and OIDC token using CI_JOB_TOKEN.

previous discussion thread

Proposal

Implement new REST enpoint POST /api/v4/job/id_token which generates a JWT with Gitlab::Ci::JwtV2.for_build(current_authenticated_job, aud: request.aud).

Edited May 01, 2023 by Brian Williams