diff options
Diffstat (limited to 'data/deprecations/15-9-JWT-OIDC.yml')
-rw-r--r-- | data/deprecations/15-9-JWT-OIDC.yml | 60 |
1 files changed, 30 insertions, 30 deletions
diff --git a/data/deprecations/15-9-JWT-OIDC.yml b/data/deprecations/15-9-JWT-OIDC.yml index e924d698bc5..48e1b862032 100644 --- a/data/deprecations/15-9-JWT-OIDC.yml +++ b/data/deprecations/15-9-JWT-OIDC.yml @@ -1,42 +1,42 @@ -# This is a template for announcing a feature deprecation or other important planned change. -# -# Please refer to the deprecation guidelines to confirm your understanding of GitLab's definitions. -# https://docs.gitlab.com/ee/development/deprecation_guidelines/#terminology -# -# Deprecations and other future breaking changes must be announced at least -# three releases prior to removal. -# -# Breaking changes must happen in a major release. -# -# See the OPTIONAL END OF SUPPORT FIELDS section below if an End of Support period also applies. -# -# For more information please refer to the handbook documentation here: -# https://about.gitlab.com/handbook/marketing/blog/release-posts/#deprecations-and-other-planned-breaking-change-announcements -# -# Please delete this line and above before submitting your merge request. -# -# REQUIRED FIELDS -# +--- - title: "Old versions of JSON web tokens are deprecated" announcement_milestone: "15.9" # (required) The milestone when this feature was first announced as deprecated. - removal_milestone: "16.0" # (required) The milestone when this feature is planned to be removed + removal_milestone: "16.5" # (required) The milestone when this feature is planned to be removed breaking_change: true # (required) Change to false if this is not a breaking change. reporter: dhershkovitch # (required) GitLab username of the person reporting the change stage: Verify # (required) String value of the stage that the feature was created in. e.g., Growth issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/366798 # (required) Link to the deprecation issue in GitLab body: | # (required) Do not modify this line, instead modify the lines below. - Now that we have released [ID tokens](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html) - with OIDC support, the old JSON web tokens are deprecated and will be removed. - Both the `CI_JOB_JWT` and `CI_JOB_JWT_V2` tokens, exposed to jobs as predefined variables, - will no longer be available in GitLab 16.0. + [ID tokens](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html) with OIDC support + were introduced in GitLab 15.7. These tokens are more configurable than the old JSON web tokens (JWTs), are OIDC compliant, + and only available in CI/CD jobs that explictly have ID tokens configured. + ID tokens are more secure than the old `CI_JOB_JWT*` JSON web tokens which are exposed in every job, + and as a result these old JSON web tokens are deprecated: + + - `CI_JOB_JWT` + - `CI_JOB_JWT_V1` + - `CI_JOB_JWT_V2` + + To prepare for this change, configure your pipelines to use [ID tokens](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens) + instead of the deprecated tokens. For OIDC compliance, the `iss` claim now uses + the fully qualified domain name, for example `https://example.com`, previously + introduced with the `CI_JOB_JWT_V2` token. + + In GitLab 15.9 to 15.11, you can [enable the **Limit JSON Web Token (JWT) access**](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#enable-automatic-id-token-authentication) + setting, which prevents the old tokens from being exposed to any jobs and enables + [ID token authentication for the `secrets:vault` keyword](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#configure-automatic-id-token-authentication). + + In GitLab 16.0 and later: + + - This setting will be removed. + - CI/CD jobs that use the `id_tokens` keyword can use ID tokens with `secrets:vault`, + and will not have any `CI_JOB_JWT*` tokens available. + - Jobs that do not use the `id_tokens` keyword will continue to have the `CI_JOB_JWT*` + tokens available until GitLab 16.5. - To prepare for this change, you should: + In GitLab 16.5, the deprecated tokens will be completely removed and will no longer + be available in CI/CD jobs. - - Configure your pipelines to use the fully configurable and more secure - [`id_token`](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens) keyword instead. - - [Enable the **Limit JSON Web Token (JWT) access**](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#enable-automatic-id-token-authentication) - setting, which prevents the old tokens from being exposed to any jobs. This setting - will be permanently enabled for all projects in GitLab 16.0. # # If an End of Support period applies, the announcement should be shared with GitLab Support # in the `#spt_managers` channel in Slack, and mention `@gitlab-com/support` in this MR. |