Fix bugs in JWT issued to authenticate with glgo service (!140127) · Merge requests · GitLab.org / GitLab

David Fernandez requested to merge 10io-fix-gcp-jwt-bugs into master Dec 18, 2023

🌴 Context

In Add the GCP technical demo service (!139797 - merged) we introduced a jwt to use it for the GCP integration client.

During the verification on staging, we found two major bugs:

The issuer value was wrong: #435732 (closed).
The kid field did not match the oauth discovery endpoint: #435736 (closed).

This MR fixes both 🐛 s

🤔 What does this MR do and why?

Update the iss claim so that the value depends on the oidc_issuer_url feature flag.
Update the kid header field so that it matches what the oauth discovery endpoint has.

🖼 Screenshots or screen recordings

None

⚙ How to set up and validate locally

In a local rails console:

jwt = Integrations::GoogleCloudPlatform::Jwt.new(project: Project.first, user: User.first, claims: { audience: 'https://test.sandbox', wlif: '//test.wlif' })
jwt.encoded

Now use https://jwt.io/ to decode the encoded string.

Note the kid field in the headers.
The issuer field has a protocol: eg. http://gdk.test:8000 instead of gdk.test:8000

Navigate to http://gdk.test:8000/oauth/discovery/keys. There are two keys. One of them will have the exact same kid than the one you noted.

🎉

🛵 MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Dec 18, 2023 by David Fernandez

Fix bugs in JWT issued to authenticate with glgo service

🌴 Context

🤔 What does this MR do and why?

🖼 Screenshots or screen recordings

⚙ How to set up and validate locally

🛵 MR acceptance checklist

Merge request reports