# Problem statement As an instance administrator, I want to ensure that shared GitLab runners are only used by users who have permission to execute on them. # Proposed solution Add a `user_identities` field to JWT V2 payloads when the GitLab instance is configured to do so. The `user_identities` field will contain the first 5 identities stored for the user. In FOSS, each user identity in the payload will have the structure: ```json { "extern_uid": "1", "provider": "gitlab" } ``` In EE, each user identity will additionally have a `secondary_extern_uid` field: ```json { "extern_uid": "1", "provider": "gitlab", "secondary_extern_uid": "1A" } ``` The presence of the `user_identities` field in the JWT V2 payload will be determined by a toggle at the instance level. The toggle will default to `false`, meaning the `user_identities` field will not be present by default. The toggle value will be update-able via an API endpoint which instance administrators have permission to use. ## Implementation table | Title | MR Link | Done? | | ------ | ------ | ----- | | Add toggle for enabling `user_identities` to database/models | https://gitlab.com/gitlab-org/gitlab/-/merge_requests/108477 |:white_check_mark: | | Add `user_identities` field to `JwtV2` | !117541 |:white_check_mark:| | Add API for changing the toggle | !117874 |:white_check_mark:| | Document the new field | !118231 |:white_check_mark: |