Use more meaningful audience in JWT ID token examples

• Please check this box if this contribution uses AI-generated content as outlined in the GitLab DCO & CLA

What does this MR do and why?

This MR updates ID token generation examples in the documentation to use a JWT ID token aud value matching the intended recipient of the token.

The aud claim is described in RFC 7519 as follows:

The "aud" (audience) claim identifies the recipients that the JWT is intended for.

RFC 7519 4.1.3

The purpose of the aud claim is to identify the application / relying party that is intended to receive the JWT credential. This party is named explicitly in order to prevent an ID token with claims xyz issued to access Application 1 from being used to access Application 2 (provided they have similar or the same bound_claims. Essentially, not using aud or not using the intended recipient in the aud means a token could be reused across relying parties.

The examples use https://gitlab.example.com as the audience, which is the inverse of the token's actual audience. The token's audience is the Vault server, identified by https://vault.example.com elsewhere (hence why that value is used in these changes).

This also updates the example configuration for the JWT Auth Backend Role to include a bound_audiences assertion.

Hey @jbielick!

Thank you for your contribution to GitLab. Please refer to the contribution documentation for an overview of the process.

Did you know about our community forks? Working from there will make your contribution process easier. Please check it out!

When you're ready for a first review, post @gitlab-bot ready. If you know a relevant reviewer(s) (for example, someone that was involved in a related issue), you can also assign them directly with @gitlab-bot ready @user1 @user2.

At any time, if you need help, feel free to post @gitlab-bot help or initiate a mentor session on Discord. Read more on how to get help.

You can comment @gitlab-bot label <label1> <label2> to add labels to your MR. Please see the list of allowed labels in the label command documentation.

This message was generated automatically. You're welcome to improve it.

added Community contribution workflowin dev labels

assigned to @jbielick

changed the description

This merge request will be counted as part of the running Hackathon!

Check out the Hackathon page for more information!

This message was generated automatically. You're welcome to improve it.

added Hackathon label

mentioned in commit jbielick/gitlab@d80df670

added docs-only label

mentioned in merge request !150364 (merged)

mentioned in issue gitlab-org/quality/triage-reports#17374 (closed)

added documentation grouppipeline execution labels

added devopsverify sectionci labels

removed grouppipeline execution label

added grouppipeline security label

mentioned in issue gitlab-org/quality/triage-reports#17375 (closed)

mentioned in issue gitlab-org/quality/triage-reports#17376 (closed)

mentioned in issue gitlab-org/quality/triage-reports#17377 (closed)

changed milestone to %17.0

added typemaintenance label

@gitlab-bot ready

added workflowready for review label and removed workflowin dev label

Hi @marcel.amirault! Please review this documentation merge request. This message was generated automatically. You're welcome to improve it.

added twtriaged label

requested review from @marcel.amirault

@marcel.amirault, this Community contribution is ready for review.

• Do you have capacity and domain expertise to review this? If not, find one or more reviewers and assign to them.
• If you've reviewed it, add the workflowin dev label if these changes need more work before the next review.

This message was generated automatically. You're welcome to improve it.

added Technical Writing docsimprovement labels

@jbielick Thanks a lot! You are the second person to notice this recently, see !152182 (merged), which made identical changes to you. I've merged that, but your addition of the bound_audiences section also makes sense, as we've added that in other examples previous. Thanks for the addition, LGTM!

	1 Warning
	1c0e8f57: The commit body should not contain more than 72 characters per line. For more information, take a look at our Commit message guidelines.

	1 Message
	This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge.

Documentation review

The following files require a review from a technical writer:

• doc/ci/secrets/convert-to-id-tokens.md (Link to current live version)

The review does not need to block merging this merge request. See the:

• Metadata for the *.md files that you've changed. The first few lines of each *.md file identify the stage and group most closely associated with your docs change.
• The Technical Writer assigned for that stage and group.
• Documentation workflows for information on when to assign a merge request for review.

If needed, you can retry the danger-review job that generated this comment.

Generated by Danger

approved this merge request

merged

@jbielick, how was your code review experience with this merge request? Please tell us how we can continue to iterate and improve:

1. React with a or a on this comment to describe your experience.
2. Create a new comment starting with @gitlab-bot feedback below, and leave any additional feedback you have for us in the comment.

Subscribe to the GitLab Community Newsletter for contributor-focused content and opportunities to level up.

Thanks for your help!

This message was generated automatically. You're welcome to improve it.

mentioned in commit 2bf1d65a

added workflowstaging-canary label and removed workflowready for review label

added workflowcanary label and removed workflowstaging-canary label

added workflowstaging label and removed workflowcanary label

added workflowproduction label and removed workflowstaging label

added workflowpost-deploy-db-staging label and removed workflowproduction label

Thanks, @marcel.amirault !

added releasedcandidate label

added releasedpublished label and removed releasedcandidate label