JWT signing keys should be rotated
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
Signing keys for JWT tokens are never rotated. See this comment, which demonstrates fetching the public keys on 2022-10-22. If you curl the same endpoints today, you will see the same public keys are still in use.
Compromise of these private keys could lead to arbitrary attacks on external systems that depend on GitLab as an OIDC provider.
Sigstore is an example of one such system. See: https://docs.sigstore.dev/threat-model/#main-takeaways
- OIDC issuers are highly trusted in Sigstore, and only properly hardened OIDC issuers should be used.
- OIDC account compromise is not handled by Sigstore, but we recommend that OIDC issuers provide revocation in the case of a compromised OIDC account. In addition, we recommend the use of 2FA on all OIDC accounts used with Sigstore in order to reduce the likelihood of a compromise.
In addition, customers are increasingly reliant on OIDC token exchange for accessing their cloud environments. With access to our private key(s), an attacker would be able mint tokens that can gain access to these systems as well: https://docs.gitlab.com/ee/ci/cloud_services/#how-it-works
Steps to reproduce
Periodically fetch the JWKs and observe that the public keys never change: curl https://gitlab.com/oauth/discovery/keys | jq
What is the expected correct behavior?
The signing keys should be rotated frequently. They can (and should) be rotated in-place by the application at runtime. The OIDC discovery mechanism ensures that JWKs are periodically refreshed by OIDC clients.