Disable IAT verification by default (!127395) · Merge requests · GitLab.org / GitLab

Merged Stan Hu requested to merge sh-disable-verify-iat-default into master 1 year ago

What does this MR do and why?

!117468 (merged) in GitLab 15.11 updated the ruby-jwt gem to v2.5.0. In v2.2.0, ruby-jwt removed the iat_leeway parameter (https://github.com/jwt/ruby-jwt/pull/274).

As a result, if a gitlab-shell host creates a JWT token with an issued-at (IAT) claim that is slightly behind the host handling API the request, users will receive a 401 error.

Disable this IAT verification by default since it's not serving a useful purpose, since expiration times are already validated. We already made a similar change in Geo.

Relates to #417543 (closed)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited 1 year ago by Stan Hu

Activity

Please register or sign in to reply

Disable IAT verification by default

What does this MR do and why?

MR acceptance checklist

Merge request reports

Activity