Add authentication via JWT to CustomersDot internal API (!159526) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/466368+

Add authentication via JWT to the GitLabSubscriptions internal API.

We want to be able to authenticate CustomersDot with JWT tokens, fetching the public key from CDot itself. This is an initial implementation. We only have one endpoint configured to send this type of token, and it's disabled behind a feature flag current.

This will be followed up by an MR to:

Introduce caching of the configuration and JWKs
Migrate the CustomersDot endpoints not in the internal API namespaces to this auth method

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Start CustomersDot and the GDK.

CustomersDot: Enable the use_jwt_auth_for_internal_api_call FF
CustomersDot: Start a rails console, and query the GitLab User (this is the only migrated endpoint currently)
```
irb(main):001> Gitlab::User.new(Order.last.customer.uid).username
=> "july-2024"
```

CustomersDot: Check that using also admin-token works as expected

[2] pry(main)> Client::GitlabApp.get("/api/v4/internal/gitlab_subscriptions/namespaces/1", { token: Client::GitlabApp::ADMIN_API_TOKEN })
=> {"id"=>1,
 "name"=>"Administrator",
 "path"=>"root",
 "kind"=>"user",
 "full_path"=>"root",
  ....}

GDK: Checkout master and try again (it should fail as the auth is not implemented)
```
irb(main):002> Gitlab::User.new(Order.last.customer.uid).username
=> nil
```

Edited Jul 31, 2024 by Bishwa Hang Rai

Add authentication via JWT to CustomersDot internal API

What does this MR do and why?

MR acceptance checklist

How to set up and validate locally

Merge request reports