Log a warning when JWT cannot be decoded in dependency proxy auth (!95315) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-log-dependency-proxy-jwt-failures into master Aug 14, 2022

What does this MR do and why?

Some users have experienced intermittent authentication failures when using the dependency proxy. A 401 might be returned if the JWT token can't be decoded for some reason. Previously we quietly discarded the token, but this commit adds a log message to track the frequency of this.

Relates to #332827

How to set up and validate locally

It's a bit surprising to me the auth endpoint uses /v2: https://gitlab.com/gitlab-org/gitlab/-/blob/ee513ee6b441894c0d68bc96d8891f547a45e7a2/config/routes/group.rb#L163

You can test this by injecting some arbitrary JWT:

curl -v -X GET -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" https://host.docker.internal:3443/v2

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Aug 14, 2022 by Stan Hu

Log a warning when JWT cannot be decoded in dependency proxy auth

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports