Disable IAT verification by default
What does this MR do and why?
!117468 (merged) in GitLab
15.11 updated the ruby-jwt gem to v2.5.0. In v2.2.0, ruby-jwt removed
the iat_leeway
parameter (https://github.com/jwt/ruby-jwt/pull/274).
As a result, if a gitlab-shell host creates a JWT token with an issued-at (IAT) claim that is slightly behind the host handling API the request, users will receive a 401 error.
Disable this IAT verification by default since it's not serving a useful purpose, since expiration times are already validated. We already made a similar change in Geo.
Relates to #417543 (closed)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Stan Hu