Authorise OIDC token against CustomersDot public key
Problems to solve
We will soon start issuing OIDC tokens from CustomersDot so that self-managed customers can access AI services operated by us: gitlab-org/customers-gitlab-com#6860 (closed)
This means that the model gateway will not only have to validate tokens issued by SaaS/gitlab-rails but also CustomersDot. This will require also syncing and caching the OIDC public key from this system via OIDC discovery endpoints, as we do already with SaaS.
Proposed solution
Model gateway will sync and cache public keys from both gitlab.com and CustomersDot from corresponding OIDC discovery endpoints:
- https://gitlab.com/.well-known/openid-configuration
- https://customers.gitlab.com/.well-known/openid-configuration
Block highlighted in #e9967a
is part of this MR.
[11] The model gateway will try to decode provided token with all keys from both CDot and Gitlab.com.
Blocked by OIDC discovery endpoints MR: https://gitlab.com/gitlab-org/customers-gitlab-com/-/merge_requests/7778+
How to test locally
-
Checkout this branch
-
Run https://gitlab.com/gitlab-org/customers-gitlab-com on local environment (localhost:5000)
-
Get a JWT token by running the following command in rails console for local customers-gitlab-com main.
jwt_token = ::Auth::JsonWebToken.new( audience: ::Auth::JsonWebToken::JWT_AUDIENCE_CODE_SUGGESTIONS, customer_id: Customer.last.id ).encode
-
Update the
.env
file in the root folder with the following variables.GITLAB_URL=https://gitlab.com CUSTOMER_PORTAL_BASE_URL=http://host.docker.internal:5000/ AUTH_BYPASS_EXTERNAL=false # Testing & development USE_FAKE_MODELS=true
-
Build a local Docker image
docker buildx build --platform linux/amd64 -t code-suggestions-api:dev .
Note: In case of a docker-build error, please see: #208 (comment 1479566642)
-
Run the local Docker image (can be replaced with Docker Compose).
docker run --platform linux/amd64 --rm -p 5001:5000 -v $PWD:/app -it --add-host=host.docker.internal:host-gateway code-suggestions-api:dev
-
Run a cURL command to check the authentication, using the
jwt_token
generated in Step 3.curl -vvv --request POST \ --url 'http://localhost:5001/v2/completions' \ --header 'X-Gitlab-Authentication-Type: oidc' \ --header 'Authorization: Bearer <jwt_token>' \ --header 'Content-Type: application/json' \ --data '{ "prompt_version": 1, "project_path": "awesome_project", "project_id": 23, "current_file": { "file_name": "main.py", "content_above_cursor": "\"\"\"\nImplement fastapi middleware to log all incoming requests\"\"\"\n", "content_below_cursor": "scoopy doo" } }'
-
You should get the response:
{"id":"id","model":{"engine":"","name":""},"object":"text_completion","created":1689862537,"choices":[{"text":"fake code suggestion from GitLab Codegen","index":0,"finish_reason":"length"}]}
Related to: Sync OIDC public key from CustomersDot (#182 - closed)