Skip to content

Put groups_direct field in CI JWT tokens behind feature flag

Stan Hu requested to merge sh-jwt-groups-direct-ff into master

What does this MR do and why?

In GitLab 16.11 !146881 (merged) introduced the groups_direct fields for CI JWT tokens used in the Vault integration. However, since JWT tokens are often sent in the Authorization HTTP header, the addition of the groups_direct field can cause the header to exceed the maximum allowed header size of Web/proxy servers.

To avoid this issue, put this groups_direct field behind a ci_jwt_groups_direct feature flag while we figure out the best way to handle this.

Relates to #467253 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

  1. Define a CI job (https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html) with the id_tokens keyword:
job_with_id_tokens:
  id_tokens:
    FIRST_ID_TOKEN:
      aud: https://first.service.com
  script:
    - |
        apt update && apt install -y jq
        export HEADER=$(echo $FIRST_ID_TOKEN | cut -d "." -f1 | base64 -d 2>/dev/null | jq .)
        export PAYLOAD=$(echo $FIRST_ID_TOKEN | cut -d "." -f2 | base64 -d 2>/dev/null | jq .)
        echo "Header: $HEADER"
        echo "Payload: $PAYLOAD"
  image: ubuntu:20.04
  1. Ensure groups_direct isn't available.
  2. Enable the ci_jwt_groups_direct feature flag and rerun the pipeline.
  3. Verify groups_direct is present.
Edited by Stan Hu

Merge request reports

Loading