Skip to content

Add CI_JOB_JWT signing key signature to jwks Doorkeeper Open ID Connect

Brad Downey requested to merge add-jwks-keys-to-doorkeeper into master

What does this MR do and why?

Merging this will add the signing key signature to the well known route for jwt token validation (/oauth/discovery/keys) beyond !43950 (merged).

Closes #333595 (closed)

Describe in detail what your merge request does and why.

Background: Services such as AWS OpenID follow the auto configuration path /.well-known/openid-configuration to find the JWT signing key. Right now that points to /oauth/discovery/keys which does not list the key used to sign the CI_JOB_JWT. This causes authentication to fail because they signer (GitLab) cannot be verified. We are not seeing this problem with Vault because the verification url can be configured (i.e. /-/jwks)

This MR will allow doorkeeper to "publish" the key used to sign CI_JOB_JWT at /oauth/discovery/keys.

Example of the before state. Click to expand 
$ curl https://gitlab.com/.well-known/openid-configuration |jq
{
  "issuer": "https://gitlab.com",
  "authorization_endpoint": "https://gitlab.com/oauth/authorize",
  "token_endpoint": "https://gitlab.com/oauth/token",
  "revocation_endpoint": "https://gitlab.com/oauth/revoke",
  "introspection_endpoint": "https://gitlab.com/oauth/introspect",
  "userinfo_endpoint": "https://gitlab.com/oauth/userinfo",
  "jwks_uri": "https://gitlab.com/oauth/discovery/keys",
  "scopes_supported": [
    "api",
---trim---

$ curl https://gitlab.com/oauth/discovery/keys  |jq
{
  "keys": [
    {
      "kty": "RSA",
      "kid": "kewiQq9jiC84CvSsJYOB-N6A8WFLSV20Mb-y7IlWDSQ",
      "e": "AQAB",
      "n": "5RyvCSgBoOGNE03CMcJ9Bzo1JDvsU8XgddvRuJtdJAIq5zJ8fiUEGCnMfAZI4of36YXBuBalIycqkgxrRkSOENRUCWN45bf8xsQCcQ8zZxozu0St4w5S-aC7N7UTTarPZTp4BZH8ttUm-VnK4aEdMx9L3Izo0hxaJ135undTuA6gQpK-0nVsm6tRVq4akDe3OhC-7b2h6z7GWJX1SD4sAD3iaq4LZa8y1mvBBz6AIM9co8R-vU1_CduxKQc3KxCnqKALbEKXm0mTGsXha9aNv3pLNRNs_J-cCjBpb1EXAe_7qOURTiIHdv8_sdjcFTJ0OTeLWywuSf7mD0Wpx2LKcD6ImENbyq5IBuR1e2ghnh5Y9H33cuQ0FRni8ikq5W3xP3HSMfwlayhIAJN_WnmbhENRU-m2_hDPiD9JYF2CrQneLkE3kcazSdtarPbg9ZDiydHbKWCV-X7HxxIKEr9N7P1V5HKatF4ZUrG60e3eBnRyccPwmT66i9NYyrcy1_ZNN8D1DY8xh9kflUDy4dSYu4R7AEWxNJWQQov525v0MjD5FNAS03rpk4SuW3Mt7IP73m-_BpmIhW3LZsnmfd8xHRjf0M9veyJD0--ETGmh8t3_CXh3I3R9IbcSEntUl_2lCvc_6B-m8W-t2nZr4wvOq9-iaTQXAn1Au6EaOYWvDRE",
      "use": "sig",
      "alg": "RS256"
    }
  ]
}

$ curl https://gitlab.com/-/jwks |jq
{
  "keys": [
    {
      "kty": "RSA",
      "kid": "kewiQq9jiC84CvSsJYOB-N6A8WFLSV20Mb-y7IlWDSQ",
      "e": "AQAB",
      "n": "5RyvCSgBoOGNE03CMcJ9Bzo1JDvsU8XgddvRuJtdJAIq5zJ8fiUEGCnMfAZI4of36YXBuBalIycqkgxrRkSOENRUCWN45bf8xsQCcQ8zZxozu0St4w5S-aC7N7UTTarPZTp4BZH8ttUm-VnK4aEdMx9L3Izo0hxaJ135undTuA6gQpK-0nVsm6tRVq4akDe3OhC-7b2h6z7GWJX1SD4sAD3iaq4LZa8y1mvBBz6AIM9co8R-vU1_CduxKQc3KxCnqKALbEKXm0mTGsXha9aNv3pLNRNs_J-cCjBpb1EXAe_7qOURTiIHdv8_sdjcFTJ0OTeLWywuSf7mD0Wpx2LKcD6ImENbyq5IBuR1e2ghnh5Y9H33cuQ0FRni8ikq5W3xP3HSMfwlayhIAJN_WnmbhENRU-m2_hDPiD9JYF2CrQneLkE3kcazSdtarPbg9ZDiydHbKWCV-X7HxxIKEr9N7P1V5HKatF4ZUrG60e3eBnRyccPwmT66i9NYyrcy1_ZNN8D1DY8xh9kflUDy4dSYu4R7AEWxNJWQQov525v0MjD5FNAS03rpk4SuW3Mt7IP73m-_BpmIhW3LZsnmfd8xHRjf0M9veyJD0--ETGmh8t3_CXh3I3R9IbcSEntUl_2lCvc_6B-m8W-t2nZr4wvOq9-iaTQXAn1Au6EaOYWvDRE",
      "use": "sig",
      "alg": "RS256"
    },
    {
      "kty": "RSA",
      "kid": "4i3sFE7sxqNPOT7FdvcGA1ZVGGI_r-tsDXnEuYT4ZqE",
      "e": "AQAB",
      "n": "4cxDjTcJRJFID6UCgepPV45T1XDz_cLXSPgMur00WXB4jJrR9bfnZDx6dWqwps2dCw-lD3Fccj2oItwdRQ99In61l48MgiJaITf5JK2c63halNYiNo22_cyBG__nCkDZTZwEfGdfPRXSOWMg1E0pgGc1PoqwOdHZrQVqTcP3vWJt8bDQSOuoZBHSwVzDSjHPY6LmJMEO42H27t3ZkcYtS5crU8j2Yf-UH5U6rrSEyMdrCpc9IXe9WCmWjz5yOQa0r3U7M5OPEKD1-8wuP6_dPw0DyNO_Ei7UerVtsx5XSTd-Z5ujeB3PFVeAdtGxJ23oRNCq2MCOZBa58EGeRDLR7Q",
      "use": "sig",
      "alg": "RS256"
    }
  ]
}
Example of after state. Click to expand 
$ curl -s https://gitlab-review-add-jwks-k-46dpoe.gitlab-review.app//-/jwks |jq
{
  "keys": [
    {
      "kty": "RSA",
      "kid": "jTlMr2hv_u03vQm4RF4bZEoAm-HyzyGlzMvwQULk-w8",
      "e": "AQAB",
      "n": "2eba70y-zi0MU7P3ZwqLtNgRzyr3FowxRDDkknlfdQQDH0K7KyNJsTavROrM5YgKHxSBJDj0B2e7BPsLUeLR6R072DuHywwejw5QtnzehFiP4bZihfRzLus06kqTVkjL1qP9WqTBR0aDDSKfCy2qpPWH2o8ZI_hD8tfHKa166qtLJ5RL6sFyILunQulvN9a0J7EoyQHHqk2MVQWplLBGz2-q7ZpIWfRRefQzbvecPemtayTSPhkmofxSD9A5DxBe3gGaS_4Lsk5sB8Ew_sfsyOJEw2O53N5_hBChN11RERCwI3-tvL1jQx_G4s85eWA7W9GgPbtPG6xuOT4FlVkY7w",
      "use": "sig",
      "alg": "RS256"
    },
    {
      "kty": "RSA",
      "kid": "dPrVzCp0rPt9oRCeQ9emdVexjHVyqZNSoXmD39ywzrY",
      "e": "AQAB",
      "n": "navtGWg0ODUfqwfFeimPh-w89oskHr5Q1LK3Bt7VKGOs8U7VPVSX0Oq6K61KYZA75CDw7LT4ABwMqUH3yJpr6g_Bh1Y9C3Qt5NMNpfhgg1k5I7VUiWgy-aj9W7QQxE68LJBmzLaqK-B8jcqG-JP1Ehw1wHFHmKhjMpLp1AzhK3lSEKfTqbPCAZvPQmpEH6H3LmHKELRKym6hEDv18I101CwBeW0FgUc4YbIfZpTLueOzRXBj3I7Uq7gbrSxMzDLQipFVxIIeOQJc8SnLNL7e6uZVx8X1Vho_j09vc8ipO0SadnkYNSbLtGX-pIv2p4L4xubJpwfENX1uIk47_s_EbQ",
      "use": "sig",
      "alg": "RS256"
    }
  ]
}

$ curl -s https://gitlab-review-add-jwks-k-46dpoe.gitlab-review.app/oauth/discovery/keys  |jq
{
  "keys": [
    {
      "kty": "RSA",
      "kid": "jTlMr2hv_u03vQm4RF4bZEoAm-HyzyGlzMvwQULk-w8",
      "e": "AQAB",
      "n": "2eba70y-zi0MU7P3ZwqLtNgRzyr3FowxRDDkknlfdQQDH0K7KyNJsTavROrM5YgKHxSBJDj0B2e7BPsLUeLR6R072DuHywwejw5QtnzehFiP4bZihfRzLus06kqTVkjL1qP9WqTBR0aDDSKfCy2qpPWH2o8ZI_hD8tfHKa166qtLJ5RL6sFyILunQulvN9a0J7EoyQHHqk2MVQWplLBGz2-q7ZpIWfRRefQzbvecPemtayTSPhkmofxSD9A5DxBe3gGaS_4Lsk5sB8Ew_sfsyOJEw2O53N5_hBChN11RERCwI3-tvL1jQx_G4s85eWA7W9GgPbtPG6xuOT4FlVkY7w",
      "use": "sig",
      "alg": "RS256"
    },
    {
      "kty": "RSA",
      "kid": "dPrVzCp0rPt9oRCeQ9emdVexjHVyqZNSoXmD39ywzrY",
      "e": "AQAB",
      "n": "navtGWg0ODUfqwfFeimPh-w89oskHr5Q1LK3Bt7VKGOs8U7VPVSX0Oq6K61KYZA75CDw7LT4ABwMqUH3yJpr6g_Bh1Y9C3Qt5NMNpfhgg1k5I7VUiWgy-aj9W7QQxE68LJBmzLaqK-B8jcqG-JP1Ehw1wHFHmKhjMpLp1AzhK3lSEKfTqbPCAZvPQmpEH6H3LmHKELRKym6hEDv18I101CwBeW0FgUc4YbIfZpTLueOzRXBj3I7Uq7gbrSxMzDLQipFVxIIeOQJc8SnLNL7e6uZVx8X1Vho_j09vc8ipO0SadnkYNSbLtGX-pIv2p4L4xubJpwfENX1uIk47_s_EbQ",
      "use": "sig",
      "alg": "RS256"
    }
  ]
}

This is blocking !72555 (merged)

This is related to https://gitlab.com/gitlab-com/alliances/aws/public-tracker/-/issues/17

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. curl https://gitlab.com/oauth/discovery/keys |jq
  2. curl https://gitlab.com/-/jwks |jq
  3. Ensure these return the same list of keys.

featureaddition

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Brad Downey

Merge request reports