Skip to content

Disable IAT verification by default

Stan Hu requested to merge sh-disable-verify-iat-default-16-2 into 16-2-stable-ee

What does this MR do and why?

This backports !127395 (merged) to 16-2-stable-ee.

!117468 (merged) in GitLab 15.11 updated the ruby-jwt gem to v2.5.0. In v2.2.0, ruby-jwt removed the iat_leeway parameter (https://github.com/jwt/ruby-jwt/pull/274).

As a result, if a gitlab-shell host creates a JWT token with an issued-at (IAT) claim that is slightly behind the host handling API the request, users will receive a 401 error.

Disable this IAT verification by default since it's not serving a useful purpose, since expiration times are already validated. We already made a similar change in Geo.

Relates to #417543 (closed)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

  • This MR is backporting a bug fix, documentation update, or spec fix, previously merged in the default branch.
  • The original MR has been deployed to GitLab.com (not applicable for documentation or spec changes).
  • This MR has a severity label assigned (if applicable).
  • This MR has been approved by a maintainer (only one approval is required).
  • Ensure the e2e:package-and-test-ee job has either succeeded or been approved by a Software Engineer in Test.

Note to the merge request author and maintainer

If you have questions about the patch release process, please:

Edited by Stan Hu

Merge request reports

Loading