Authorise OIDC token against CustomersDot public key

Problems to solve

We will soon start issuing OIDC tokens from CustomersDot so that self-managed customers can access AI services operated by us: gitlab-org/customers-gitlab-com#6860 (closed)

This means that the model gateway will not only have to validate tokens issued by SaaS/gitlab-rails but also CustomersDot. This will require also syncing and caching the OIDC public key from this system via OIDC discovery endpoints, as we do already with SaaS.

Proposed solution

Model gateway will sync and cache public keys from both gitlab.com and CustomersDot from corresponding OIDC discovery endpoints:

• https://gitlab.com/.well-known/openid-configuration
  • https://gitlab.com/oauth/discovery/keys
• https://customers.gitlab.com/.well-known/openid-configuration
  • https://customers.gitlab.com/oauth/discovery/keys

Block highlighted in #e9967a is part of this MR.

[11] The model gateway will try to decode provided token with all keys from both CDot and Gitlab.com.

Blocked by OIDC discovery endpoints MR: https://gitlab.com/gitlab-org/customers-gitlab-com/-/merge_requests/7778+

How to test locally

1. Checkout this branch

2. Run https://gitlab.com/gitlab-org/customers-gitlab-com on local environment (localhost:5000)

3. Get a JWT token by running the following command in rails console for local customers-gitlab-com main.

   jwt_token = ::Auth::JsonWebToken.new(
     audience: ::Auth::JsonWebToken::JWT_AUDIENCE_CODE_SUGGESTIONS,
     customer_id: Customer.last.id
   ).encode

4. Update the .env file in the root folder with the following variables.

   GITLAB_URL=https://gitlab.com
   CUSTOMER_PORTAL_BASE_URL=http://host.docker.internal:5000/
   AUTH_BYPASS_EXTERNAL=false
   # Testing & development
   USE_FAKE_MODELS=true
   

5. Build a local Docker image

   docker buildx build --platform linux/amd64 -t code-suggestions-api:dev .

   Note: In case of a docker-build error, please see: #208 (comment 1479566642)

6. Run the local Docker image (can be replaced with Docker Compose).

   docker run --platform linux/amd64 --rm -p 5001:5000 -v $PWD:/app -it --add-host=host.docker.internal:host-gateway code-suggestions-api:dev

7. Run a cURL command to check the authentication, using the jwt_token generated in Step 3.

     curl -vvv --request POST \
     --url 'http://localhost:5001/v2/completions' \
     --header 'X-Gitlab-Authentication-Type: oidc' \
     --header 'Authorization: Bearer <jwt_token>' \
     --header 'Content-Type: application/json' \
     --data '{
       "prompt_version": 1,
       "project_path": "awesome_project",
       "project_id": 23,
       "current_file": {
         "file_name": "main.py",
         "content_above_cursor": "\"\"\"\nImplement fastapi middleware to log all incoming requests\"\"\"\n",
         "content_below_cursor": "scoopy doo"
       }
     }'

8. You should get the response:

   {"id":"id","model":{"engine":"","name":""},"object":"text_completion","created":1689862537,"choices":[{"text":"fake code suggestion from GitLab Codegen","index":0,"finish_reason":"length"}]} 

Related to: Sync OIDC public key from CustomersDot (#182 - closed)