POC: OAuth JWT Bearer flow (!168839) · Merge requests · GitLab.org / GitLab

Imre Farkas requested to merge if-poc-oauth_jwt_flow into master Oct 10, 2024

What does this MR do and why?

POC for OAuth JWT Bearer flow. It currently relies on grants_assertion flow as a workaround, but grant_type should be jwt-bearer when fully supported. The flow is described in https://cloudentity.com/developers/basics/oauth-grant-types/using-jwt-profile-for-authorization-flows/.

How to use

Step 1. create an OAuth app, and make note of the app id, and app secret.

client_id = '...'
client_secret = '...'

Step 2. set a secret to sign the JWT (this needs to be the same as the one used in `config/initializers/doorkeeper.rb).

secret_key = '$3cr3t'

Step 3. create an JWT

payload = {
  iss: 'my-app',
  sub: 'user-1',
  aud: 'my-client-id',
  exp: Time.now.to_i + 3600,
  iat: Time.now.to_i,
  email: 'me@gdk.test',
  user_id: 42
}

token = JWT.encode(payload, secret_key, 'HS256')

Step 4. exchange the JWT for ID token

response = RestClient.post'https://gdk.test:3000/oauth/token', 
  { client_id: client_id,
    client_secret: client_secret,
    grant_type: 'assertion',
    provider: 'jwt',
    assertion: token }

puts response.boby

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before	After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Edited Oct 10, 2024 by Imre Farkas

POC: OAuth JWT Bearer flow

What does this MR do and why?

How to use

MR acceptance checklist

Screenshots or screen recordings

How to set up and validate locally

Merge request reports