Cloud Connector: allow specifying JWT audience (!147911) · Merge requests · GitLab.org / GitLab

Matthias Käppler requested to merge 451998-custom-audience into master Mar 26, 2024

What does this MR do and why?

Not user facing.

We currently hard-code the AI gateway as the only supported audience in JWTs. In order to support multiple backends in Cloud Connector, we should make this claim configurable.

For GitLab.com, we now let callers pass this value when obtaining a SelfIssuedToken from CloudConnector::AccessService.

Implementation notes

I started to see a fair bit of boilerplate and duplication when obtaining the token, so I decided to move the call to access_token behind the AI gateway client class. It now provides a class method to issue the token, which in return calls into the lower-level Cloud Connector interfaces. I think this makes for a better layering of abstractions since feature code now only needs to interface with the AI gateway abstraction.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

There should be no observable change.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Related to #451998

Edited Mar 27, 2024 by Matthias Käppler

Admin message

Cloud Connector: allow specifying JWT audience

What does this MR do and why?

Implementation notes

MR acceptance checklist

How to set up and validate locally

Merge request reports