JWT Audience Configuration for OpenBao in Geo Environments

Note: This issue has been generated by GitLab Duo Agentic Chat using #485595 (comment 2757832504) as a source.

Problem to Solve

In GitLab Geo deployments with OpenBao integration, there is a potential configuration mismatch between JWT audience fields and OpenBao's bound audience validation that could prevent proper authentication in secondary Geo sites.

Current Situation

  • OpenBao uses JWT authentication with bound audience validation for security
  • JWTs contain an audience (aud) field that must match OpenBao's configured bound_audiences
  • In Geo environments, secondary sites may have different URLs for accessing the secrets manager compared to the primary site
  • The current implementation may assume a single static audience value across all Geo sites

Specific Challenge

When a secondary Geo site has a different URL structure for accessing OpenBao than the primary site, the JWT audience field may not match the bound audience configured in OpenBao, leading to authentication failures. This would prevent CI jobs and other services from accessing secrets when running on secondary Geo sites.

Proposal

Introduce a separate Rails configuration option specifically for JWT audience configuration that can be set independently from the external OpenBao URL, allowing for flexible audience validation in multi-site Geo deployments.

Benefits

  • Enables OpenBao authentication to work correctly across all Geo sites regardless of URL differences
  • Provides configuration flexibility for different Geo deployment architectures
  • Maintains security through proper audience validation while accommodating multi-site scenarios
  • Supports both simple (same URL) and complex (different URL) Geo configurations

Example Configuration

# For environments where secondary sites have different OpenBao URLs
production:
  openbao:
    url: https://openbao.primary.example.com  # Site-specific URL
    jwt_audience: https://openbao.shared.example.com  # Consistent audience across all sites

This solution would ensure that JWT authentication works seamlessly across all Geo sites while maintaining the security benefits of audience validation.

Implementation plan

  1. New Configuration Parameter

    • Add a new Rails configuration option (e.g., openbao.jwt_audience) that can be set separately from the main OpenBao URL
    • This parameter would define the audience value used in JWTs for OpenBao authentication
    • Default behavior: if not specified, fall back to using the existing OpenBao URL configuration

  2. Configuration Flexibility

    • Same URL environments: When primary and secondary Geo sites use the same URLs to access OpenBao, no additional configuration needed
    • Different URL environments: When secondary sites have different OpenBao URLs, set a single static jwt_audience value that all sites can use for consistent authentication

  3. Backward Compatibility

    • Maintain existing behavior when the new parameter is not configured
    • Ensure no breaking changes for current OpenBao deployments
Edited by Fabien Catteau