GitLab API endpoint for requesting Duo Workflow Service JWT and Duo Workflow OAuth tokens

This is for item 1 in this authentication architecture diagram.

Create a REST API in GitLab that returns roughly this JSON:

{
  "gitlab_rails" : {
    "token": "$secret_oauth_token",
    "base_url": "https://example.gitlab.com",
  },
  "duo_workflow_service" : {    
    "base_url": "https://example.duo_workflow_service.com",
    "token": "$encoded_JWT",
    "headers": {
      "X-Gitlab-Instance-Id": "292c3c7c-c5d5-48ec-b4bf-f00b724ce560",
      "X-Gitlab-Realm": "saas",
      "X-Gitlab-Global-User-Id": "Df0Jhs9xlbetQR8YoZCKDZJflhxO0ZBI8uoRzmpnd1w=",
      "X-Gitlab-Host-Name": "192.168.1.8"
    }
  }
}

The API endpoint should be EE only and behind the feature flag.

Some notes on this json:

The token returned within the gitlab_rails json is an OAuth token with the duo_workflow scope. There is an issue for creating this new scope here.
We are returning the gitlab base_url so that the Duo Workflow Service knows which codepath to take. Initially, we are only worried about gitlab.com but in future iterations we will have self-managed instances using this and we need to know what the URL of their instance looks like. But, for the gitlab.com use-case, this field is not strictly necessary. So you can choose to leave that out for now.
The token returned within the duo_workflow_service json is a JWT for talking to the Duo Workflow Service.
This should all work similarly to how the Code Suggestions direct access API endpoint for fetching a token works.

Some pieces of the logic may need to be stubbed out until the Duo Workflow Service has an API endpoint for retrieving a JWT: Duo Workflow Service API endpoint for minting JWT (#471898 - closed)

Edited Jul 10, 2024 by Jessie Young