Secure JWT token Default Behavior
Problem to Solve
There are three methods to use a JSON web token
- old method using the CI_JOB_JWT (secrets: keyword)
- Alpha version using the CI_JOB_JWT_V2
- Production-ready OIDC using the following syntax
auth_job:
secrets:
VAULT_JWT_1:
id_token:
aud: 'devs'
STAGING_DATABASE_PASSWORD: # VAULT_JWT_1 is the token to be used
vault: staging/db/password@ops
To use the production-ready OIDC a project setting was introduced to avoid having a ~breaking change by default it should behave more securely with new projects without breaking compatibility with existing projects.
Proposal
- Always use the feature like the setting is enabled(3rd option) also for existing projects that have this feature disabled
- Remove ability to toggle this feature on/off leaving the ability to add/remove projects to the job token scope
Current Status
As we iterate on outbound permissions to make it easier to add projects faster than one at a time we'll re-consider making this the default behavior in a major milestone.
Implementation
1. Enable OIDC setting for all projects
Per #391886 (comment 1286846867):
The toggle being referred to in this issue is stored in the
project_ci_cd_settings
table asopt_in_jwt
. The 2 main uses of it in the backend are in the EE::BuildRunnerPresenter and the CI::Build model.We can also remove the
opt_in_jwt
field fromproject_ci_cd_settings
This means we need to accomplish the following for the backend part:
-
Remove all references of ci_cd_settings.opt_in_jwt?
in the codebase -
Drop the column project_ci_cd_settings#opt_in_jwt
, this is a multi step process in this issue we will only trackignore_column
.
2. Remove toggle in the settings frontend-weight2
Issue: #391886 (closed)
After the setting is enabled for all projects, we can remove this toggle from the settings. (Settings > CI/CD > Token Access). This will be a cleanup of the code added from !92711 (merged).