ENG-1610 Trusted Private Key support and implementation for GitLab#93
Merged
ENG-1610 Trusted Private Key support and implementation for GitLab#93
Conversation
lae
force-pushed
the
ENG-1610/implement-internal-jwt-creation
branch
from
d21f229 to
1d37518
Compare
lae
force-pushed
the
ENG-1610/implement-internal-jwt-creation
branch
from
1d37518 to
9982de1
Compare
🔍 Amplify code check status:
Last updated by commit ecfd698 at 2026-02-25 17:23:25 UTC. |
…ld dependency (rsa)
lae
force-pushed
the
ENG-1610/implement-internal-jwt-creation
branch
from
2d24fb6 to
ecfd698
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements JWT creation using a Trusted Public/Private Key (TPK), configured in Amplify's dashboard, as a fallback for GitLab CI environments where the runner component is not available/usable (and thus no
AMPLIFY_ID_TOKENenvironment variable).Changes
src/auth/tpk/mod.rsTpkJwtstruct with builder-style configuration for issuer, audience, and algorithm. Defaults tohttps://tpk.amplify.security,https://api.amplify.security, and ES512 (ECDSA P-521) respectively.TpkJwt::from_env()- constructor wrapper that readsTRUSTED_PRIVATE_KEYfrom the environmentTpkJwt::create_token()- creates a signed JWT using the TPK and custom claims from the caller (they're flattened when serialized)src/auth/gitlab/mod.rsGitlabAuth::get_tokennow falls back to signing a TPK JWT whenAMPLIFY_ID_TOKENis absent. The fallback token includes a minimal set of predefined GitLab CI/CD variables as claims, mirroring the shape of a real GitLab OIDC ID token:ci_server_urlCI_SERVER_URLpipeline_idCI_PIPELINE_IDproject_idCI_PROJECT_IDproject_pathCI_PROJECT_PATHrefCI_COMMIT_REF_NAMEjob_idCI_JOB_IDshaCI_COMMIT_SHAThese are all predefined GitLab CI variables that are expected to be present in any job.
Cargo.tomlWe use
jsonwebtokenfor token creation/signing, but since TPKs are ES512 keypairs, I configured the dependency to pull from an active fork: Keats/jsonwebtoken#478. This'll have to be updated eventually when it's merged. Also ended up pulling inrust-cryptoas the crypto backend instead ofaws-lc-rsas a result.