Skip to content
Snippets Groups Projects

Generate JWT for authentication and provide it to CI jobs

Merged Krasimir Angelov requested to merge 207125-ci-jwt-auth into master
1 unresolved thread

What does this MR do?

Generate JWT that can be used for authentication with 3rd parties that support JWT authentication (e.g. Vault - https://www.vaultproject.io/docs/auth/jwt/#jwt-authentication) and provide it to jobs as CI_JOB_JWT predefined CI variable.

See #207125 (closed).

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by 🤖 GitLab Bot 🤖

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Krasimir Angelov added 552 commits

    added 552 commits

    Compare with previous version

  • added 1 commit

    • 161b8f12 - Implement generating signed JWT to be used in CI

    Compare with previous version

  • Krasimir Angelov added 437 commits

    added 437 commits

    Compare with previous version

  • Krasimir Angelov added 2 commits

    added 2 commits

    • ddc81b05 - Implement generating signed JWT to be used in CI
    • 8b98639e - Document usage of CI_JOB_JWT

    Compare with previous version

  • added 1 commit

    • baa5446c - Document usage of CI_JOB_JWT

    Compare with previous version

  • Krasimir Angelov added 2 commits

    added 2 commits

    • 4d51cd24 - Implement generating signed JWT to be used in CI
    • 91c548ce - Document usage of CI_JOB_JWT

    Compare with previous version

  • Krasimir Angelov added 2 commits

    added 2 commits

    • 14e81ce8 - Implement generating signed JWT to be used in CI
    • 76ea4a5a - Document usage of CI_JOB_JWT

    Compare with previous version

  • Tomasz Maczukin mentioned in issue #212252

    mentioned in issue #212252

  • Krasimir Angelov changed the description

    changed the description

  • Krasimir Angelov added 875 commits

    added 875 commits

    Compare with previous version

  • Author Maintainer

    @dosuken123 Can you please compete the backend review for this MR? You already have a lot of context about this change, and I am trying to avoid any delay by bringing in another reviewer. I am hoping @ayufan will be able to do a maintainer review.

  • Krasimir Angelov assigned to @dosuken123

    assigned to @dosuken123

  • Krasimir Angelov unmarked as a Work In Progress

    unmarked as a Work In Progress

  • Krasimir Angelov changed the description

    changed the description

  • Shinya Maeda
  • Shinya Maeda unassigned @dosuken123

    unassigned @dosuken123

  • Suzanne Selhorn
  • Krasimir Angelov added 172 commits

    added 172 commits

    Compare with previous version

  • Suzanne Selhorn approved this merge request

    approved this merge request

  • Krasimir Angelov assigned to @dosuken123

    assigned to @dosuken123

  • Krasimir Angelov marked the checklist item Changelog entry as completed

    marked the checklist item Changelog entry as completed

  • Krasimir Angelov marked the checklist item Documentation (if required) as completed

    marked the checklist item Documentation (if required) as completed

  • Krasimir Angelov marked the checklist item Label as security and @ mention @gitlab-com/gl-security/appsec as completed

    marked the checklist item Label as security and @ mention @gitlab-com/gl-security/appsec as completed

  • Author Maintainer

    @ayufan I am still waiting on @dosuken123 to approve but want to check will you be able to do maintainer review for this MR? Code-wise it's pretty small change and I think you already have most of the context around it. Let me know if you are not able to make it and I'll find another maintainer. We really hope to get this into %12.10.

  • assigned to @ayufan

  • Shinya Maeda mentioned in issue #213972

    mentioned in issue #213972

  • Shinya Maeda approved this merge request

    approved this merge request

  • mentioned in issue #213974 (closed)

    • Resolved by Shinya Maeda

      @krasio Thanks. I'm really impressed by the idea of JWT auth flow and really looking forward to seeing this happens in the near future. I left a bunch of comments for improving the code quality but feel free to follow-up in a separate MR if you see this MR is urgent on our mission.

      I've approved this MR :thumbsup:

  • Shinya Maeda unassigned @dosuken123

    unassigned @dosuken123

  • Kamil Trzciński
  • Kamil Trzciński
  • Kamil Trzciński assigned to @dosuken123 and unassigned @ayufan

    assigned to @dosuken123 and unassigned @ayufan

  • Krasimir Angelov added 270 commits

    added 270 commits

    Compare with previous version

  • assigned to @ayufan

  • @krasio @ayufan I left a bunch of comments.

  • Shinya Maeda unassigned @dosuken123

    unassigned @dosuken123

    • Resolved by Shinya Maeda

      I would really like you to keep ref_protected_by as this holds the original glob used for defining the protection. Otherwise a token consuming resource provider would need to implement the same globing algorithms as GitLab does.

      Anfang der weitergeleiteten E-Mail

  • mentioned in issue #214294

  • Krasimir Angelov added 265 commits

    added 265 commits

    Compare with previous version

  • Krasimir Angelov added 2 commits

    added 2 commits

    • 38c782f8 - Implement generating signed JWT to be used in CI
    • b7d7223e - Document usage of CI_JOB_JWT

    Compare with previous version

  • added workflowin review label and removed workflowin dev label

  • Krasimir Angelov mentioned in merge request !25331 (closed)

    mentioned in merge request !25331 (closed)

  • Krasimir Angelov added 2 commits

    added 2 commits

    • b1f8638a - Implement generating signed JWT to be used in CI
    • 0426f1ef - Document usage of CI_JOB_JWT

    Compare with previous version

  • I notice there is already an endpoint (undocummented?) to generate JWT used by the Docker registry :

    curl -v -u gitlab-ci-token:$CI_JOB_TOKEN "https://gitlab.example.com/jwt/auth?account=gitlab-ci-token&client_id=any&offline_token=true&service=container_registry"

    Unfortunatly the JWT cannot be validate because the certificate is not available, and there is no JWKS endpoint here.

    Maybe good to be able to validate this JWT with the new JWKS endpoint (https://gitlab.example.com/oauth/discovery/keys).

    But these differents URL paths will be confusing. Or add alias/change the JWKS endpoint to /jwt/keys ?

    Thanks !

  • mentioned in issue #28321 (closed)

    • Resolved by Shinya Maeda

      @krasio I answered. I'm pretty much fine with resolutions. I would likely ask to refine subject meaning to clearly indicate that subject is a build, as this is an actual object that is generator of the JWT. Can this be done in current arch?

  • Kamil Trzciński assigned to @dosuken123

    assigned to @dosuken123

  • Krasimir Angelov added 320 commits

    added 320 commits

    • 0426f1ef...2fdb6b9c - 316 commits from branch master
    • 82180652 - Implement generating signed JWT to be used in CI
    • 1a1463d9 - Document usage of CI_JOB_JWT
    • 3f2bbb31 - Use build.id as subject for CI_JOB_JWT
    • a9afd25c - Change default expire time for CI_JOB_JWT to 5 min

    Compare with previous version

  • Krasimir Angelov added 152 commits

    added 152 commits

    • a9afd25c...3b1a068f - 145 commits from branch master
    • e4d07947 - Implement generating signed JWT to be used in CI
    • bf6e23e3 - Document usage of CI_JOB_JWT
    • 3b194e33 - Use build.id as subject for CI_JOB_JWT
    • be9e0379 - Change default expire time for CI_JOB_JWT to 5 min
    • 8dcdd442 - Add new /-/jwks route used to validate CI_JOB_JWT
    • 0dd976fb - Add warning to always restrict scope of Vault role
    • 562e5c40 - Decouple Gitlab::Ci::JWT from JSONWebToken

    Compare with previous version

  • mentioned in issue #214607 (closed)

  • assigned to @ayufan

  • @ayufan @krasio I've approved this MR as-is. My only concern is !28063 (comment 320994080), which I'm not entirely sure the security implication, so would you mind verifying it with @gitlab-com/gl-security/appsec once more in the follow-up issue? In case it turned out there is a security vulnerability, we can disable the token generation by disabling the feature flag, so at least we have a safe guard to quickly mitigate the problem.

    I looked at resolutions more from reviewer perspective. Would you be additional reviewer/maintainer of this?

    I'm not sure what this means, but you ask me to merge this as a maintainer, I can merge.

  • Shinya Maeda unassigned @dosuken123

    unassigned @dosuken123

  • Kamil Trzciński
  • assigned to @ayufan

  • @krasio I think it is good enough for us to merge it and iterate on it. I added a follow-up issue from unresolved comments.

  • Kamil Trzciński resolved all threads

    resolved all threads

  • mentioned in issue #214807 (closed)

  • Kamil Trzciński approved this merge request

    approved this merge request

  • Kamil Trzciński marked the checklist item Code review guidelines as completed

    marked the checklist item Code review guidelines as completed

  • Kamil Trzciński marked the checklist item Merge request performance guidelines as completed

    marked the checklist item Merge request performance guidelines as completed

  • Kamil Trzciński marked the checklist item Style guides as completed

    marked the checklist item Style guides as completed

  • Kamil Trzciński marked the checklist item Separation of EE specific content as completed

    marked the checklist item Separation of EE specific content as completed

  • Kamil Trzciński marked the checklist item Database guides as completed

    marked the checklist item Database guides as completed

  • mentioned in commit fbf2cde3

  • added workflowstaging label and removed workflowin review label

  • added workflowcanary label and removed workflowstaging label

  • added workflowproduction label and removed workflowcanary label

  • Krasimir Angelov mentioned in merge request !30702 (merged)

    mentioned in merge request !30702 (merged)

  • mentioned in issue #218692 (closed)

  • Krasimir Angelov mentioned in merge request !34249 (merged)

    mentioned in merge request !34249 (merged)

  • Krasimir Angelov mentioned in merge request !38762 (closed)

    mentioned in merge request !38762 (closed)

  • 🤖 GitLab Bot 🤖 changed the description

    changed the description

  • 🤖 GitLab Bot 🤖 added docsimprovement label and removed 1 deleted label

    added docsimprovement label and removed 1 deleted label

  • Krasimir Angelov mentioned in merge request !43950 (merged)

    mentioned in merge request !43950 (merged)

  • mentioned in issue #287824 (closed)

  • Marcel Amirault mentioned in merge request !72555 (merged)

    mentioned in merge request !72555 (merged)

  • mentioned in issue #451149 (closed)

  • Erick Bajao mentioned in issue #428129

    mentioned in issue #428129

  • Please register or sign in to reply
    Loading