Allow users to add JWT audiences or disable audience verification with reverse proxies
Problem
When users configure the GitLab for Jira Cloud app with a reverse proxy, the process can be complex and error-prone. A common issue arises when the JWT audience claim doesn't match the expected value due to discrepancies between the reverse proxy FQDN and the internal GitLab FQDN.
This mismatch occurs because the JWT token is generated using the reverse proxy FQDN, while GitLab validates it using the internal FQDN. As a result, the audience verification fails.
Failed to update the GitLab instanceIn the backend, you will see this error:
Invalid audience. Expected https://proxy.example.com/-/jira_connect, received https://gitlab.example.com/-/jira_connectThe problem can be fixed if the reverse proxy is configured correctly but sometimes it isn't always possible to correct the problem at the reverse proxy level.
Proposed Solutions
Option 1: Allow Additional Audiences
This option maintains audience verification while adding flexibility, making it a more secure choice.
- Add a setting that allows users to specify their reverse proxy FQDN as an additional audience.
- Modify the JWT verification process to accept an array of audiences.
- Inject the additional audience into the JWT verification claims.
See:
- https://developer.atlassian.com/cloud/jira/platform/understanding-jwt-for-connect-apps/#claims
- https://gitlab.com/gitlab-org/gitlab/-/blob/308ac082814830f31873d3e89bf29b20d5e32f3a/app/controllers/jira_connect/events_controller.rb#L62
Option 2: Disable Audience Verification
- Add a setting allowing users to disable audience (
aud) verification completely.
Note: This option may have security implications as it removes a layer of verification. It should be considered only if Option 1 is not feasible.
See: