chore: encode instance ID in UJWT and validate header (!1274) · Merge requests · GitLab.org / ModelOps / AI Assisted (formerly Applied ML) / Code Suggestions / AI Gateway · GitLab

Roy Zwambag requested to merge 621-add-instance-id-to-ujwt into main Aug 28, 2024

What does this merge request do and why?

This MR encodes the instance id in the UJWT. This is a necessary step in being able to validate the instance ID header. The instance header should always be there, the first time this endpoint was called by gitlab-rails, we send over the cloud connector headers, which includes the instance id ( see https://gitlab.com/gitlab-org/gitlab/-/blob/17e193be536a51da320a737a45e351cf2cddfa9a/ee/lib/api/helpers/cloud_connector.rb )

How to set up and validate locally

Call the /user_access_token endpoint and decode the token (e.g. with jwt.io) and ensure the instance ID is a custom claim in the token.

Merge request checklist

Tests added for new functionality. If not, please raise an issue to follow up.
Documentation added/updated, if needed.

Closes #621 Closes #622

Edited Aug 30, 2024 by Roy Zwambag