## Summary This issue is to roll out [AUTH-011: Workhorse OAuth proxy to IAM Auth Service](https://gitlab.com/gitlab-org/gitlab/-/issues/594504) on production, that is currently behind the `proxy_oauth_requests_to_iam_service` feature flag. Once enabled, Workhorse will consult Rails (`POST /-/oauth/iam_routing`) on every OAuth request and route the request to the IAM Auth Service when the FF is enabled for that OAuth application; otherwise the request is proxied to Rails as before. ## Owners - Most appropriate Slack channel to reach out to: `#g_sscs_authentication` - Best individual to reach out to: @sgarg_gitlab ## Expectations ### What are we expecting to happen? For each OAuth application the flag is enabled for, Workhorse routes the standardized OAuth endpoints (`/oauth/authorize`, `/oauth/authorize_device`, `/oauth/token`, `/oauth/revoke`, `/oauth/introspect`) to the IAM Auth Service. The user-visible OAuth flow should be indistinguishable from the Rails-served flow. For every other application the flag stays off and traffic continues to be served by Rails. ### What can go wrong and how would we detect it? - IAM Auth Service unavailable or 5xx → users of targeted apps cannot complete OAuth flows. Detection: increased 5xx on `/oauth/*` paths, drop in successful `oauth_application:auth` events, customer reports. - Behavioral divergence between IAM and Rails (different error shapes, scope handling, etc.) → silent contract breaks for integrations. - PreAuthorize endpoint latency regression → every OAuth request gains one Rails hop. Detection: p99 latency on `/oauth/*` in the Workhorse dashboard. Relevant dashboards on https://dashboards.gitlab.net: - Workhorse: https://dashboards.gitlab.net/d/workhorse-main - Rails Doorkeeper / OAuth endpoint latency: dashboard TBD (will update before staging rollout begins) **Kibana — production:** https://log.gprd.gitlab.net **Kibana — non-prod / staging:** https://nonprod-log.gitlab.net Suggested searches (open Kibana → Discover, then paste into the search bar): - All `iamproxy` routing decisions in Workhorse: `json.subcomponent : "workhorse" AND json.msg : "iamproxy: routing decision"` - OAuth 5xx errors: `json.path : "/oauth/*" AND json.status : [500 TO 599]` - PreAuthorize endpoint errors: `json.controller : "Oauth::IamRoutingController" AND json.status : [400 TO 599]` ## Actor type **Important — non-standard actor:** This flag uses `Authn::OauthApplication` as its actor (one row per OAuth client). The standard `--project`, `--group`, and `--user` chatops flags do not apply. Use `--actors=Authn::OauthApplication:<application-id>` instead. ## Rollout Steps Note: Please make sure to run the chatops commands in the Slack channel that gets impacted by the command. ### Prerequisites - [ ] MR A (this flag's infra) merged: gitlab-org/gitlab!236263 - [ ] MR B (Rails PreAuthorize endpoint) merged and deployed - [ ] Workhorse proxy MRs merged and deployed - [ ] `--iamServiceURL` configured in non-production environments - [ ] IAM Auth Service deployed in non-production environments ### Rollout on non-production environments - Verify the MR with the feature flag is merged to `master` and has been deployed to non-production environments with `/chatops gitlab run auto_deploy status <merge-commit-of-your-feature>` - [ ] Enable for a single test OAuth application in staging: `/chatops gitlab run feature set --actors=Authn::OauthApplication:<staging-app-id> proxy_oauth_requests_to_iam_service true --dev --pre --staging --staging-ref` - [ ] Monitor that error rates did not increase (repeat with additional applications as necessary). - [ ] Verify that the feature works as expected. The best environment to validate the feature in is [`staging-canary`](https://about.gitlab.com/handbook/engineering/infrastructure/environments/#staging-canary) as this is the first environment deployed to. Make sure you are [configured to use canary](https://next.gitlab.com/). - [ ] If the feature flag causes end-to-end tests to fail, disable the feature flag on staging to avoid blocking [deployments](https://about.gitlab.com/handbook/engineering/deployments-and-releases/deployments/). - See [`#e2e-run-staging` Slack channel](https://gitlab.enterprise.slack.com/archives/CBS3YKMGD) and look for the following messages: - test kicked off: `Feature flag proxy_oauth_requests_to_iam_service has been set to true on **gstg**` - test result: `This pipeline was triggered due to toggling of proxy_oauth_requests_to_iam_service feature flag` If you encounter end-to-end test failures and are unable to diagnose them, you may reach out to the [`#s_developer_experience` Slack channel](https://gitlab.enterprise.slack.com/archives/C07TWBRER7H) for assistance. Note that end-to-end test failures on `staging-ref` [don't block deployments](https://about.gitlab.com/handbook/engineering/infrastructure/environments/staging-ref/#how-to-use-staging-ref). ### Before production rollout - [ ] If the change is significant and you wanted to announce in [#whats-happening-at-gitlab](https://gitlab.enterprise.slack.com/archives/C0259241C), it best to do it before rollout to `gitlab-org/gitlab-com`. ### Specific rollout on production For visibility, all `/chatops` commands that target production must be executed in the [`#production` Slack channel](https://gitlab.slack.com/archives/C101F3796) and cross-posted (with the command results) to the responsible team's Slack channel. - Ensure that the feature MRs have been deployed to both production and canary with `/chatops gitlab run auto_deploy status <merge-commit-of-your-feature>` - [ ] Depending on the [type of actor](https://docs.gitlab.com/development/feature_flags/#feature-actors) you are using, pick one of these options: - For **OauthApplication-actor** (this flag): `/chatops gitlab run feature set --actors=Authn::OauthApplication:<application-id> proxy_oauth_requests_to_iam_service true` - For **project-actor**: `/chatops gitlab run feature set --project=gitlab-org/gitlab,gitlab-org/gitlab-foss,gitlab-com/www-gitlab-com proxy_oauth_requests_to_iam_service true` _(not applicable)_ - For **group-actor**: `/chatops gitlab run feature set --group=gitlab-org,gitlab-com proxy_oauth_requests_to_iam_service true` _(not applicable)_ - For **user-actor**: `/chatops gitlab run feature set --user=sgarg_gitlab proxy_oauth_requests_to_iam_service true` _(not applicable)_ - For **all internal users**: `/chatops gitlab run feature set --feature-group=gitlab_team_members proxy_oauth_requests_to_iam_service true` _(not applicable)_ - [ ] Verify that the feature works for the specific actors. ### Preparation before global rollout - [ ] Set a milestone to this rollout issue to signal for enabling and removing the feature flag when it is stable. - [ ] Check if the feature flag change needs to be accompanied with a [change management issue](https://about.gitlab.com/handbook/engineering/infrastructure-platforms/change-management/#feature-flags-and-the-change-management-process). Cross link the issue here if it does. - [ ] Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the `@sre-oncall` Slack alias. - [ ] Ensure that documentation exists for the feature, and the [version history text](https://docs.gitlab.com/development/documentation/feature_flags/#add-history-text) has been updated. - [ ] Ensure that any breaking changes have been announced following the [release post process](https://about.gitlab.com/handbook/marketing/blog/release-posts/#deprecations-removals-and-breaking-changes) to ensure GitLab customers are aware. - [ ] Notify the [`#support_gitlab-com` Slack channel](https://gitlab.slack.com/archives/C4XFU81LG) and your team channel ([more guidance when this is necessary in the dev docs](https://docs.gitlab.com/development/feature_flags/controls/#communicate-the-change)). - [ ] If this flag is or may be queried by external API consumers (for example, IDE extensions, Duo CLI, or CI integrations), follow the [external API consumer guidance](https://docs.gitlab.com/development/feature_flags/#do-not-use-feature-flags-in-external-api-consumers) and ensure a fail-open mechanism is in place before the rollout milestone is finalised. **OAuth IS queried by external API consumers** — fail-open behavior in Workhorse (route to Rails on IAM error) must be in place. ### Global rollout on production For visibility, all `/chatops` commands that target production must be executed in the [`#production` Slack channel](https://gitlab.slack.com/archives/C101F3796) and cross-posted (with the command results) to the responsible team's Slack channel. - [ ] [Incrementally roll out](https://docs.gitlab.com/development/feature_flags/controls/#process) the feature on production. - Example: `/chatops gitlab run feature set proxy_oauth_requests_to_iam_service <rollout-percentage> --actors`. - Between every step wait for at least 15 minutes and monitor the appropriate graphs on https://dashboards.gitlab.net. - [ ] After the feature has been 100% enabled, wait for [at least one day before releasing the feature](#release-the-feature). ### (Optional) Release the feature with the feature flag **WARNING:** This approach has the downside that it makes it difficult for us to [clean up](https://docs.gitlab.com/development/feature_flags/controls/#cleaning-up) the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters. **Not applicable to this rollout.** This flag is `gitlab_com_derisk` and is intended to be removed entirely after cutover, per AUTH-011 Phase 5. We will not ship with `default_enabled: true`; instead see [Release the feature](#release-the-feature) below. ### Release the feature After the feature has been [deemed stable](https://about.gitlab.com/handbook/product-development-flow/feature-flag-lifecycle/#including-a-feature-behind-feature-flag-in-the-final-release), the [clean up](https://docs.gitlab.com/development/feature_flags/controls/#cleaning-up) should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase. - [ ] Create a merge request to remove the `proxy_oauth_requests_to_iam_service` feature flag. Ask for review/approval/merge as usual. The MR should include the following changes: - Remove all references to the feature flag from the codebase (Rails `Oauth::IamRoutingController` and Workhorse routing). - Remove the YAML definition for the feature from the repository. - [ ] Ensure that the cleanup MR has been included in the release package. If the merge request was deployed before [the monthly release was tagged](https://about.gitlab.com/handbook/engineering/releases/#self-managed-releases-1), the feature can be officially announced in a release blog post: `/chatops gitlab run release check <merge-request-url> <milestone>` - [ ] Close [the feature issue](https://gitlab.com/gitlab-org/gitlab/-/issues/594504) to indicate the feature will be released in the current milestone. - [ ] Once the cleanup MR has been deployed to production, clean up the feature flag from all environments by running these chatops command in `#production` channel: `/chatops gitlab run feature delete proxy_oauth_requests_to_iam_service --dev --pre --staging --staging-ref --production` - [ ] Close this rollout issue. ## Rollback Steps - [ ] This feature can be disabled on production by running the following Chatops command: ``` /chatops gitlab run feature set proxy_oauth_requests_to_iam_service false ``` - [ ] Disable for a specific application: ``` /chatops gitlab run feature set --actors=Authn::OauthApplication:<app-id> proxy_oauth_requests_to_iam_service false ``` - [ ] Disable the feature flag on non-production environments: ``` /chatops gitlab run feature set proxy_oauth_requests_to_iam_service false --dev --pre --staging --staging-ref ``` - [ ] Delete feature flag from all environments: ``` /chatops gitlab run feature delete proxy_oauth_requests_to_iam_service --dev --pre --staging --staging-ref --production ```