Support creation of short-lived user JWTs for Client <-> AIGW connection
Problem to solve
To decrease latency of Code Suggestions requests, we want to skip the step where we talk to the GitLab monolith. To achieve this we want clients (IDE) to have their own JWT so that they can directly communicate with this to the IDE. This user JWT will be short-lived and created by the AI Gateway.
Proposal
We have to support the creation of short-lived user specific JWTs. The flow will be as follows:
- Client (IDE) talks to GitLab Monolith to request user JWT (and some other request specific information)
- GitLab monolith will make a request to Cloud Connector ( gitlab-org/gitlab#452364 (closed)) with the instance JWT to request a user JWT.
- Cloud Connector will forward the request to AI Gateway
- AI Gateway will create a short-lived user JWT and return that to the monolith <-- This part is this issue
- GL monolith will return the user JWT to the Client
- (loop until JWT is expired) Client will make requests to AI Gateway directly (through cloud.gitlab.com/ai ) with user JWT
If the request contains a valid instance JWT, the AI gateway will need to issue a (short lived user) JWT (similar to how to issue instance JWTs in CDot). These JWTs do not contain actual user information, besides a unique identifier.
Links / references
Edited by Paul Phillips