Update IAM service config to top-level iam_auth_service

What does this MR do and why?

This introduces changes to align the GitLab Rails IAM auth service configuration with the Helm chart structure (https://gitlab.com/gitlab-org/architecture/auth-architecture/sandbox-config/-/merge_requests/37+).

Key changes:

• Replaces authn.iam_service with a top-level iam_auth_service section (nested http/grpc endpoints + secret_file)
• url is now constructed at runtime from http.host/http.port (using http in development, https otherwise)
• Renames audience → jwt_audience to match the chart schema
• Introduces Authn::IamAuthService (lib/authn/iam_auth_service.rb), a centralized config module (following the Gitlab::Kas pattern) exposing enabled?, url, jwt_audience, secret, and IAM_AUTH_TOKEN_HEADER
• Updates all callers to use the module instead of accessing Gitlab.config directly

Related to: https://gitlab.com/gitlab-org/gitlab/-/work_items/593447

References

• Main issue: https://gitlab.com/gitlab-org/gitlab/-/work_items/593447+
• Sandbox config MR: https://gitlab.com/gitlab-org/architecture/auth-architecture/sandbox-config/-/merge_requests/37+
• https://gitlab.com/gitlab-org/auth/iam/-/merge_requests/144+

Screenshots or screen recordings

How to test and validate

Prerequisites

• GitLab GDK running (refer to https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/index.md)
• IAM auth service running locally, with the changes from https://gitlab.com/gitlab-org/auth/iam/-/merge_requests/144+
• 127.0.0.1 gdk.test entry in /etc/hosts

Configuration

Gitlab Rails

1. gitlab.yml

Add the following before # 4. Advanced settings:

iam_auth_service:
  enabled: true
  secret_file: <FULL_PATH_TO_HOME>/.gdk/iam-auth/.gitlab_iam_auth_secret
  http:
    host: "gdk.test"
    port: 8084
  grpc:
    host: "gdk.test"
    port: 8084
  jwt_audience: "gitlab-rails"
#
# 4. Advanced settings

2. Create the token

mkdir -p "$HOME/.gdk/iam-auth"
echo "dev-service-token-do-not-use-in-production" > "$HOME/.gdk/iam-auth/.gitlab_iam_auth_secret"

3. Restart:

gdk restart

4. Enable the feature:

Feature.enable(:iam_svc_login)

5. Check local calls:

Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?

and set the configuration to true or Admin > Settings > Network > Outbound requests.
Without this, Gitlab::HTTP blocks requests to localhost (SSRF protection) and AcceptLoginChallengeService will silently fail.

IAM service

1. IAM service (configs/environments/development-l2.toml)

[platform.database]
driver = "postgres"
host = "localhost"
port = 5430
ssl_mode = "disable"

[platform.cors]
allowed_origins = ["http://gdk.test:3000"]

[services.auth.base_url]
scheme = "http"
host = "gdk.test:8084"

[services.auth.oauth]
issuer  = "http://gdk.test:8084"
login_url = "http://gdk.test:3000/users/sign_in"
consent_url = "http://gdk.test:3000/iam/consent"

[services.auth.oauth_client]
gitlab_url = "http://gdk.test:3000"

[services.test-service]
setting = "value"
grpc_address = ":9001"

2. Start IAM Service:

git checkout 593449/validate-secret-submux
make  
make up
CONFIG_DIR=$(pwd)/configs bin/iam --serve auth

3. Verify the service starts without errors and is reachable at http://gdk.test:8084/health.

4. Register an OAuth client

curl -s -X POST http://gdk.test:8084/oauth2/internal/clients \
  -H "Content-Type: application/json" \
  -H "Gitlab-Iam-Auth-Token: dev-service-token-do-not-use-in-production" \
  -d '{
    "client_id": "test-app",
    "secret": "test-secret",
    "redirect_uris": ["http://gdk.test:3000/callback"],
    "grant_types": ["authorization_code", "refresh_token"],
    "response_types": ["code"],
    "scopes": ["openid", "profile", "email"],
    "client_name": "Test Application",
    "public": false
  }'

Validate

Happy flow

With the valid token stored in /etc/gitlab/iam-auth/.gitlab_iam_auth_secret, navigate to the following URL to trigger the OAuth2 login flow:

http://gdk.test:8084/oauth2/authorize?client_id=test-app&redirect_uri=http://gdk.test:3000/callback&response_type=code&scope=openid+profile+email&state=my-random-state&code_challenge=skmf3Mb2Tce9ofM4L3evf7wvfCeAugd9zMgJqbPhegs&code_challenge_method=S256

The page should redirect to the GitLab sign-in page with a login_challenge parameter in the URL. After signing in, GitLab calls AcceptLoginChallengeService, which authenticates with the IAM service using the secret from secret_file and returns a redirect_to URL back to the IAM service.

This is the expected view:

Note: the 404 page is expected, as the consent flow is not provided yet.

Unhappy flow

Change the token stored in /etc/gitlab/iam-auth/.gitlab_iam_auth_secret with something invalid, gdk restart and navigate again to the above link: this time you should find this error:

And in the log/auth_json.log the following log entry:

{"severity":"ERROR","time":"2026-04-07T13:00:38.300Z","correlation_id":"01KNM0FPDYK66R7N2R9H39196N","meta.caller_id":"SessionsController#new","meta.feature_category":"system_access","message":"IAM login challenge accept failed","reason":"http_error","gl_user_id":1,"status":401,"iam_login_response_body":"{\"error\":\"Unauthorized\"}\n"}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.