Cloud Connector: write UUID to JWT sub claim
What does this MR do and why?
This MR writes the GitLab instance UUID to the JSON Web Token we issue as a service access token to Cloud Connector services. It is good practice to describe the token receiver in the sub
(subject) claim of a JWT, which we do here. This change here only applies to tokens self-issued on gitlab.com. A similar change for self-managed was made here: https://gitlab.com/gitlab-org/customers-gitlab-com/-/merge_requests/9491
I also dropped the unused user
field, which had bothered me for a while now.
Not a user-facing change.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Set
GITLAB_SIMULATE_SAAS=1
- In a rails console:
[7] pry(main)> JWT.decode(CloudConnector::AccessService.new.access_token(scopes: [:test]), nil, false)
=> [{"jti"=>"3c16679f-ab5d-4838-8bff-45d4da9edb30",
"aud"=>"gitlab-ai-gateway",
"sub"=>"8f6e4253-58ce-42b9-869c-97f5c2287ad2",
"iss"=>"http://local.gitlab.test:3000",
"iat"=>1709820329,
"nbf"=>1709820324,
"exp"=>1709823929,
"gitlab_realm"=>"saas",
"scopes"=>["test"]},
{"typ"=>"JWT", "alg"=>"RS256"}]
Related to #446068