GitLab rails: Accept External OAuth Token

Summary

GitLab Rails needs to accept and validate external OAuth tokens issued by the IAM Service as part of the OAuth for Protocells architecture.

Background

As part of the OAuth for Protocells proposal, the IAM Service will handle OAuth token exchange requests and create routable JWT access tokens containing the user ID. These tokens will be used for subsequent API requests to GitLab cells.

Requirements

When API requests are made with JWT access tokens issued by the IAM service:

1. GitLab Rails validates the token using JWKs from the IAM service
2. GitLab Rails verifies and decodes the JWT to authenticate the request
3. GitLab processes the API request and returns the response
4. The JWT access token works for all usecases that are possible with OAuth tokens, such as:
   • REST API access
   • GraphQL API access
   • OpenID Connect flow
   • git commands
   • docker commands?

Implementation Details

GitLab Rails must:

• All changes are behind a IAM_SVC_OAUTH feature flag
• Request JWKs (JSON Web Key Sets) from the IAM service for token validation
• Cache JWKs with a reasonable expiry time
• Verify JWT signatures using the retrieved JWKs
• Decode and validate JWT claims (expiration, issuer, audience, etc.)
• Extract user information from the validated token
• Set current user with the resolved
• Authenticate the API request based on the token contents
• Implementation must be extensible to URTs in the future

Related

• PoC Implementation
• OAuth for Protocells Proposal
• OAuth Authorization Code Flow Sequence Diagram