Cloud Connector: allow specifying JWT audience
What does this MR do and why?
Not user facing.
We currently hard-code the AI gateway as the only supported audience in JWTs. In order to support multiple backends in Cloud Connector, we should make this claim configurable.
For GitLab.com, we now let callers pass this value when obtaining a SelfIssuedToken
from CloudConnector::AccessService
.
Implementation notes
I started to see a fair bit of boilerplate and duplication when obtaining the token, so I decided to move the call to access_token
behind the AI gateway client class. It now provides a class method to issue the token, which in return calls into the lower-level Cloud Connector interfaces. I think this makes for a better layering of abstractions since feature code now only needs to interface with the AI gateway abstraction.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
There should be no observable change.
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
Related to #451998