Skip to content

Provide a way to disable groups_direct field in JWT

In GitLab 16.11, !146881 (merged) added a groups_direct field to the JWT (https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html).

These tokens are often passed in HTTP Authorization headers, and proxy servers may reject the request if the headers are too big.

Because of that, we should have a way to disable this field. For example, perhaps in the CI definition, could we do something like?

job_with_id_tokens:
  id_tokens:
    FIRST_ID_TOKEN:
      aud: https://first.service.com
      groups_direct: false
    SECOND_ID_TOKEN:
      aud: https://second.service.com
  script:
    - first-service-authentication-script.sh $FIRST_ID_TOKEN
    - second-service-authentication-script.sh $SECOND_ID_TOKEN

What do you think @alexandru.jieanu @avielle @jocelynjane?