Secure JWT token Default Behavior (#366798) · Issues · GitLab.org / GitLab

Secure JWT token Default Behavior

### Problem to Solve There are three methods to use a JSON web token 1. old method using the CI_JOB_JWT (secrets: keyword) 2. Alpha version using the CI_JOB_JWT_V2 3. Production-ready OIDC using the following syntax ```yaml auth_job: secrets: VAULT_JWT_1: id_token: aud: 'devs' STAGING_DATABASE_PASSWORD: # VAULT_JWT_1 is the token to be used vault: staging/db/password@ops ``` To use the production-ready OIDC a project setting was introduced to avoid having a ~breaking change by default it should behave more securely with new projects without breaking compatibility with existing projects. ### Proposal * Always use the feature like the setting is enabled(3rd option) also for existing projects that have this feature disabled * Remove ability to toggle this feature on/off leaving the ability to add/remove projects to the job token scope ### Current Status As we iterate on outbound permissions to make it easier to add projects faster than one at a time we'll re-consider making this the default behavior in a major milestone. ### Implementation **1. Enable OIDC setting for all projects** Per https://gitlab.com/gitlab-org/gitlab/-/issues/391886#note_1286846867: > The toggle being referred to in this issue is stored in the `project_ci_cd_settings` table as `opt_in_jwt`. The 2 main uses of it in the backend are in the [EE::BuildRunnerPresenter](https://gitlab.com/gitlab-org/gitlab/-/blob/d43cf186c0311ac73c3bf851e3cd693c0789fdb8/ee/app/presenters/ee/ci/build_runner_presenter.rb#L33) and the [CI::Build](https://gitlab.com/gitlab-org/gitlab/-/blob/d43cf186c0311ac73c3bf851e3cd693c0789fdb8/app/models/ci/build.rb#L1232) model. > > We can also remove the `opt_in_jwt` field from `project_ci_cd_settings` This means we need to accomplish the following for the ~backend part: - [ ] Remove all references of `ci_cd_settings.opt_in_jwt?` in the codebase - [ ] [Drop the column](https://docs.gitlab.com/ee/development/database/avoiding_downtime_in_migrations.html#dropping-columns) `project_ci_cd_settings#opt_in_jwt`, this is a multi step process in this issue we will only track `ignore_column`. **2. Remove toggle in the settings** ~"frontend-weight::2" Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/391886 *After* the setting is enabled for all projects, we can remove this toggle from the settings. (**Settings** > **CI/CD** > **Token Access**). This will be a cleanup of the code added from https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92711. ![Screenshot_2023-03-09_at_17.37.45](/uploads/206a3583b654329c91e9afd666699f88/Screenshot_2023-03-09_at_17.37.45.png)

issue