Cloud Connector: write UUID to JWT sub claim (!146891) · Merge requests · GitLab.org / GitLab

Matthias Käppler requested to merge 446068-uuid-token-subject into master Mar 07, 2024

What does this MR do and why?

This MR writes the GitLab instance UUID to the JSON Web Token we issue as a service access token to Cloud Connector services. It is good practice to describe the token receiver in the sub (subject) claim of a JWT, which we do here. This change here only applies to tokens self-issued on gitlab.com. A similar change for self-managed was made here: https://gitlab.com/gitlab-org/customers-gitlab-com/-/merge_requests/9491

I also dropped the unused user field, which had bothered me for a while now.

Not a user-facing change.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Set GITLAB_SIMULATE_SAAS=1
In a rails console:

   [7] pry(main)> JWT.decode(CloudConnector::AccessService.new.access_token(scopes: [:test]), nil, false)
=> [{"jti"=>"3c16679f-ab5d-4838-8bff-45d4da9edb30",
  "aud"=>"gitlab-ai-gateway",
  "sub"=>"8f6e4253-58ce-42b9-869c-97f5c2287ad2",
  "iss"=>"http://local.gitlab.test:3000",
  "iat"=>1709820329,
  "nbf"=>1709820324,
  "exp"=>1709823929,
  "gitlab_realm"=>"saas",
  "scopes"=>["test"]},
 {"typ"=>"JWT", "alg"=>"RS256"}]

Related to #446068

Edited Mar 07, 2024 by Matthias Käppler

Cloud Connector: write UUID to JWT sub claim

What does this MR do and why?

MR acceptance checklist

How to set up and validate locally

Merge request reports